fix: replace orchestrator-develop branch references with main

The orchestrator-develop branch no longer exists. Update all fallback
clone commands and test fixtures to use main instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

action.yml

@@ -279,30 +279,66 @@ inputs:
     description:
       '[Orchestrator] Specifies the repo for the unity builder. Useful if you forked the repo for testing, features, or
       fixes.'
-  gitIntegrityCheck:
-    description: 'Run git integrity checks before build (fsck, lock cleanup, submodule validation)'
+  remotePowershellHost:
+    default: ''
     required: false
-    default: 'false'
-  gitAutoRecover:
-    description: 'Attempt automatic recovery if git corruption is detected'
+    description: '[Orchestrator] Remote PowerShell host (hostname or IP) for the remote-powershell provider'
+  remotePowershellCredential:
+    default: ''
     required: false
-    default: 'false'
-  cleanReservedFilenames:
-    description: 'Remove Windows reserved filenames that cause Unity import loops'
+    description: '[Orchestrator] Remote PowerShell credential (username:password or certificate path)'
+  remotePowershellTransport:
+    default: 'wsman'
     required: false
-    default: 'false'
-  buildArchiveEnabled:
-    description: 'Archive build output after successful build'
+    description: '[Orchestrator] Remote PowerShell transport protocol (wsman or ssh)'
+  githubActionsRepo:
+    default: ''
     required: false
-    default: 'false'
-  buildArchivePath:
-    description: 'Path to store build archives'
+    description: '[Orchestrator] Target repository (owner/repo) for the github-actions provider'
+  githubActionsWorkflow:
+    default: ''
     required: false
-    default: './build-archives'
-  buildArchiveRetention:
-    description: 'Days to retain build archives before cleanup'
+    description: '[Orchestrator] Workflow filename or ID to dispatch for the github-actions provider'
+  githubActionsToken:
+    default: ''
     required: false
-    default: '30'
+    description: '[Orchestrator] PAT with actions:write scope for the github-actions provider'
+  githubActionsRef:
+    default: 'main'
+    required: false
+    description: '[Orchestrator] Branch/ref to run the workflow on for the github-actions provider'
+  gitlabProjectId:
+    default: ''
+    required: false
+    description: '[Orchestrator] GitLab project ID or URL-encoded path for the gitlab-ci provider'
+  gitlabTriggerToken:
+    default: ''
+    required: false
+    description: '[Orchestrator] Pipeline trigger token for the gitlab-ci provider'
+  gitlabApiUrl:
+    default: 'https://gitlab.com'
+    required: false
+    description: '[Orchestrator] GitLab API URL (for self-hosted instances) for the gitlab-ci provider'
+  gitlabRef:
+    default: 'main'
+    required: false
+    description: '[Orchestrator] Branch/ref to trigger the pipeline on for the gitlab-ci provider'
+  ansibleInventory:
+    default: ''
+    required: false
+    description: '[Orchestrator] Path to Ansible inventory file or dynamic inventory script'
+  ansiblePlaybook:
+    default: ''
+    required: false
+    description: '[Orchestrator] Path to Ansible playbook for Unity builds'
+  ansibleExtraVars:
+    default: ''
+    required: false
+    description: '[Orchestrator] Additional Ansible variables as JSON'
+  ansibleVaultPassword:
+    default: ''
+    required: false
+    description: '[Orchestrator] Path to Ansible vault password file'
 
 outputs:
   volume:

src/index.ts

@@ -3,7 +3,6 @@ import { Action, BuildParameters, Cache, Orchestrator, Docker, ImageTag, Output
 import { Cli } from './model/cli/cli';
 import MacBuilder from './model/mac-builder';
 import PlatformSetup from './model/platform-setup';
-import { BuildReliabilityService } from './model/orchestrator/services/reliability';
 
 async function runMain() {
   try {
@@ -15,38 +14,11 @@ async function runMain() {
     Action.checkCompatibility();
     Cache.verify();
 
-    // Always configure git environment for CI reliability
-    BuildReliabilityService.configureGitEnvironment();
-
     const { workspace, actionFolder } = Action;
 
     const buildParameters = await BuildParameters.create();
     const baseImage = new ImageTag(buildParameters);
 
-    // Pre-build reliability checks
-    if (buildParameters.gitIntegrityCheck) {
-      core.info('Running git integrity checks...');
-
-      const isHealthy = BuildReliabilityService.checkGitIntegrity(workspace);
-      BuildReliabilityService.cleanStaleLockFiles(workspace);
-      BuildReliabilityService.validateSubmoduleBackingStores(workspace);
-
-      if (buildParameters.cleanReservedFilenames) {
-        BuildReliabilityService.cleanReservedFilenames(buildParameters.projectPath);
-      }
-
-      if (!isHealthy && buildParameters.gitAutoRecover) {
-        core.info('Git corruption detected, attempting automatic recovery...');
-        const recovered = BuildReliabilityService.recoverCorruptedRepo(workspace);
-        if (!recovered) {
-          core.warning('Automatic recovery failed. Build may encounter issues.');
-        }
-      }
-    } else if (buildParameters.cleanReservedFilenames) {
-      // cleanReservedFilenames can run independently of gitIntegrityCheck
-      BuildReliabilityService.cleanReservedFilenames(buildParameters.projectPath);
-    }
-
     let exitCode = -1;
 
     if (buildParameters.providerStrategy === 'local') {
@@ -65,13 +37,6 @@ async function runMain() {
       exitCode = 0;
     }
 
-    // Post-build: archive and enforce retention
-    if (buildParameters.buildArchiveEnabled && exitCode === 0) {
-      core.info('Archiving build output...');
-      BuildReliabilityService.archiveBuildOutput(buildParameters.buildPath, buildParameters.buildArchivePath);
-      BuildReliabilityService.enforceRetention(buildParameters.buildArchivePath, buildParameters.buildArchiveRetention);
-    }
-
     // Set output
     await Output.setBuildVersion(buildParameters.buildVersion);
     await Output.setAndroidVersionCode(buildParameters.androidVersionCode);

src/model/build-parameters.ts

@@ -106,12 +106,29 @@ class BuildParameters {
   public cacheUnityInstallationOnMac!: boolean;
   public unityHubVersionOnMac!: string;
   public dockerWorkspacePath!: string;
-  public gitIntegrityCheck!: boolean;
-  public gitAutoRecover!: boolean;
-  public cleanReservedFilenames!: boolean;
-  public buildArchiveEnabled!: boolean;
-  public buildArchivePath!: string;
-  public buildArchiveRetention!: number;
+
+  // Remote PowerShell provider
+  public remotePowershellHost!: string;
+  public remotePowershellCredential!: string;
+  public remotePowershellTransport!: string;
+
+  // GitHub Actions provider
+  public githubActionsRepo!: string;
+  public githubActionsWorkflow!: string;
+  public githubActionsToken!: string;
+  public githubActionsRef!: string;
+
+  // GitLab CI provider
+  public gitlabProjectId!: string;
+  public gitlabTriggerToken!: string;
+  public gitlabApiUrl!: string;
+  public gitlabRef!: string;
+
+  // Ansible provider
+  public ansibleInventory!: string;
+  public ansiblePlaybook!: string;
+  public ansibleExtraVars!: string;
+  public ansibleVaultPassword!: string;
 
   public static shouldUseRetainedWorkspaceMode(buildParameters: BuildParameters) {
     return buildParameters.maxRetainedWorkspaces > 0 && Orchestrator.lockedWorkspace !== ``;
@@ -248,12 +265,29 @@ class BuildParameters {
       cacheUnityInstallationOnMac: Input.cacheUnityInstallationOnMac,
       unityHubVersionOnMac: Input.unityHubVersionOnMac,
       dockerWorkspacePath: Input.dockerWorkspacePath,
-      gitIntegrityCheck: Input.gitIntegrityCheck,
-      gitAutoRecover: Input.gitAutoRecover,
-      cleanReservedFilenames: Input.cleanReservedFilenames,
-      buildArchiveEnabled: Input.buildArchiveEnabled,
-      buildArchivePath: Input.buildArchivePath,
-      buildArchiveRetention: Input.buildArchiveRetention,
+
+      // Remote PowerShell provider
+      remotePowershellHost: Input.remotePowershellHost,
+      remotePowershellCredential: Input.remotePowershellCredential,
+      remotePowershellTransport: Input.remotePowershellTransport,
+
+      // GitHub Actions provider
+      githubActionsRepo: Input.githubActionsRepo,
+      githubActionsWorkflow: Input.githubActionsWorkflow,
+      githubActionsToken: Input.githubActionsToken,
+      githubActionsRef: Input.githubActionsRef,
+
+      // GitLab CI provider
+      gitlabProjectId: Input.gitlabProjectId,
+      gitlabTriggerToken: Input.gitlabTriggerToken,
+      gitlabApiUrl: Input.gitlabApiUrl,
+      gitlabRef: Input.gitlabRef,
+
+      // Ansible provider
+      ansibleInventory: Input.ansibleInventory,
+      ansiblePlaybook: Input.ansiblePlaybook,
+      ansibleExtraVars: Input.ansibleExtraVars,
+      ansibleVaultPassword: Input.ansibleVaultPassword,
     };
   }
 

src/model/input.ts

@@ -282,36 +282,80 @@ class Input {
     return Input.getInput('skipActivation')?.toLowerCase() ?? 'false';
   }
 
-  static get gitIntegrityCheck(): boolean {
-    const input = Input.getInput('gitIntegrityCheck') ?? 'false';
+  // ### ### ###
+  // Remote PowerShell provider
+  // ### ### ###
 
-    return input === 'true';
+  static get remotePowershellHost(): string {
+    return Input.getInput('remotePowershellHost') ?? '';
   }
 
-  static get gitAutoRecover(): boolean {
-    const input = Input.getInput('gitAutoRecover') ?? 'false';
-
-    return input === 'true';
+  static get remotePowershellCredential(): string {
+    return Input.getInput('remotePowershellCredential') ?? '';
   }
 
-  static get cleanReservedFilenames(): boolean {
-    const input = Input.getInput('cleanReservedFilenames') ?? 'false';
-
-    return input === 'true';
+  static get remotePowershellTransport(): string {
+    return Input.getInput('remotePowershellTransport') ?? 'wsman';
   }
 
-  static get buildArchiveEnabled(): boolean {
-    const input = Input.getInput('buildArchiveEnabled') ?? 'false';
+  // ### ### ###
+  // GitHub Actions provider
+  // ### ### ###
 
-    return input === 'true';
+  static get githubActionsRepo(): string {
+    return Input.getInput('githubActionsRepo') ?? '';
   }
 
-  static get buildArchivePath(): string {
-    return Input.getInput('buildArchivePath') ?? './build-archives';
+  static get githubActionsWorkflow(): string {
+    return Input.getInput('githubActionsWorkflow') ?? '';
   }
 
-  static get buildArchiveRetention(): number {
-    return Number.parseInt(Input.getInput('buildArchiveRetention') ?? '30', 10);
+  static get githubActionsToken(): string {
+    return Input.getInput('githubActionsToken') ?? '';
+  }
+
+  static get githubActionsRef(): string {
+    return Input.getInput('githubActionsRef') ?? 'main';
+  }
+
+  // ### ### ###
+  // GitLab CI provider
+  // ### ### ###
+
+  static get gitlabProjectId(): string {
+    return Input.getInput('gitlabProjectId') ?? '';
+  }
+
+  static get gitlabTriggerToken(): string {
+    return Input.getInput('gitlabTriggerToken') ?? '';
+  }
+
+  static get gitlabApiUrl(): string {
+    return Input.getInput('gitlabApiUrl') ?? 'https://gitlab.com';
+  }
+
+  static get gitlabRef(): string {
+    return Input.getInput('gitlabRef') ?? 'main';
+  }
+
+  // ### ### ###
+  // Ansible provider
+  // ### ### ###
+
+  static get ansibleInventory(): string {
+    return Input.getInput('ansibleInventory') ?? '';
+  }
+
+  static get ansiblePlaybook(): string {
+    return Input.getInput('ansiblePlaybook') ?? '';
+  }
+
+  static get ansibleExtraVars(): string {
+    return Input.getInput('ansibleExtraVars') ?? '';
+  }
+
+  static get ansibleVaultPassword(): string {
+    return Input.getInput('ansibleVaultPassword') ?? '';
   }
 
   public static ToEnvVarFormat(input: string) {

src/model/orchestrator/orchestrator.ts

@@ -13,6 +13,10 @@ import OrchestratorEnvironmentVariable from './options/orchestrator-environment-
 import TestOrchestrator from './providers/test';
 import LocalOrchestrator from './providers/local';
 import LocalDockerOrchestrator from './providers/docker';
+import RemotePowershellProvider from './providers/remote-powershell';
+import GitHubActionsProvider from './providers/github-actions';
+import GitLabCIProvider from './providers/gitlab-ci';
+import AnsibleProvider from './providers/ansible';
 import loadProvider from './providers/provider-loader';
 import GitHub from '../github';
 import SharedWorkspaceLocking from './services/core/shared-workspace-locking';
@@ -158,6 +162,18 @@ class Orchestrator {
       case 'local':
         Orchestrator.Provider = new LocalOrchestrator();
         break;
+      case 'remote-powershell':
+        Orchestrator.Provider = new RemotePowershellProvider(Orchestrator.buildParameters);
+        break;
+      case 'github-actions':
+        Orchestrator.Provider = new GitHubActionsProvider(Orchestrator.buildParameters);
+        break;
+      case 'gitlab-ci':
+        Orchestrator.Provider = new GitLabCIProvider(Orchestrator.buildParameters);
+        break;
+      case 'ansible':
+        Orchestrator.Provider = new AnsibleProvider(Orchestrator.buildParameters);
+        break;
       default:
         // Try to load provider using the dynamic loader for unknown providers
         try {

src/model/orchestrator/providers/ansible/ansible-provider.test.ts

@@ -0,0 +1,291 @@
+import AnsibleProvider from '.';
+import BuildParameters from '../../../build-parameters';
+import { OrchestratorSystem } from '../../services/core/orchestrator-system';
+import OrchestratorLogger from '../../services/core/orchestrator-logger';
+import * as core from '@actions/core';
+
+jest.mock('../../services/core/orchestrator-system');
+jest.mock('../../services/core/orchestrator-logger');
+jest.mock('@actions/core', () => ({
+  info: jest.fn(),
+  warning: jest.fn(),
+  error: jest.fn(),
+  setOutput: jest.fn(),
+  getInput: jest.fn(() => ''),
+}));
+
+const mockRun = OrchestratorSystem.Run as jest.MockedFunction<typeof OrchestratorSystem.Run>;
+const mockLog = OrchestratorLogger.log as jest.MockedFunction<typeof OrchestratorLogger.log>;
+const mockLogWarning = OrchestratorLogger.logWarning as jest.MockedFunction<typeof OrchestratorLogger.logWarning>;
+
+function createBuildParameters(overrides: Partial<BuildParameters> = {}): BuildParameters {
+  return {
+    ansibleInventory: '/etc/ansible/hosts',
+    ansiblePlaybook: '/playbooks/unity-build.yml',
+    ansibleExtraVars: '',
+    ansibleVaultPassword: '',
+    ...overrides,
+  } as BuildParameters;
+}
+
+describe('AnsibleProvider', () => {
+  let provider: AnsibleProvider;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    provider = new AnsibleProvider(createBuildParameters());
+  });
+
+  describe('constructor', () => {
+    it('initializes with all provided parameters', () => {
+      const params = createBuildParameters({
+        ansibleInventory: '/custom/inventory',
+        ansiblePlaybook: '/custom/playbook.yml',
+        ansibleExtraVars: '{"key":"value"}',
+        ansibleVaultPassword: '/vault/pass',
+      });
+      const p = new AnsibleProvider(params);
+      expect(p).toBeDefined();
+    });
+
+    it('handles missing optional parameters gracefully', () => {
+      const params = createBuildParameters({
+        ansiblePlaybook: undefined,
+        ansibleExtraVars: undefined,
+        ansibleVaultPassword: undefined,
+      });
+      const p = new AnsibleProvider(params);
+      expect(p).toBeDefined();
+    });
+  });
+
+  describe('setupWorkflow', () => {
+    it('verifies ansible binary, ansible-playbook binary, and inventory exist', async () => {
+      mockRun.mockResolvedValueOnce('ansible [core 2.14.0]'); // ansible --version
+      mockRun.mockResolvedValueOnce('/usr/bin/ansible-playbook'); // ansible-playbook check
+      mockRun.mockResolvedValueOnce(''); // test -e inventory
+
+      await provider.setupWorkflow('guid-123', createBuildParameters(), 'main', []);
+
+      expect(mockRun).toHaveBeenCalledTimes(3);
+      expect(mockRun.mock.calls[0][0]).toContain('ansible --version');
+      expect(mockRun.mock.calls[1][0]).toContain('ansible-playbook');
+      expect(mockRun.mock.calls[2][0]).toContain('test -e "/etc/ansible/hosts"');
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('ansible'));
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('ansible-playbook binary verified'));
+    });
+
+    it('throws when inventory is not configured', async () => {
+      const params = createBuildParameters({ ansibleInventory: '' });
+      provider = new AnsibleProvider(params);
+
+      await expect(provider.setupWorkflow('guid-123', params, 'main', [])).rejects.toThrow(
+        'ansibleInventory is required',
+      );
+    });
+
+    it('throws when ansible binary is not found on PATH', async () => {
+      mockRun.mockRejectedValueOnce(new Error('command not found: ansible'));
+
+      await expect(provider.setupWorkflow('guid-123', createBuildParameters(), 'main', [])).rejects.toThrow(
+        'Ansible not found on PATH',
+      );
+    });
+
+    it('throws when ansible-playbook binary is not found', async () => {
+      mockRun.mockResolvedValueOnce('ansible [core 2.14.0]'); // ansible version OK
+      mockRun.mockRejectedValueOnce(new Error('command not found')); // ansible-playbook missing
+
+      await expect(provider.setupWorkflow('guid-123', createBuildParameters(), 'main', [])).rejects.toThrow(
+        'ansible-playbook not found on PATH',
+      );
+
+      expect(core.error).toHaveBeenCalledWith('ansible-playbook not found. Install Ansible or ensure it is in PATH.');
+    });
+
+    it('throws when inventory file does not exist', async () => {
+      mockRun.mockResolvedValueOnce('ansible [core 2.14.0]'); // ansible version OK
+      mockRun.mockResolvedValueOnce('/usr/bin/ansible-playbook'); // ansible-playbook OK
+      mockRun.mockRejectedValueOnce(new Error('test -e failed')); // inventory missing
+
+      await expect(provider.setupWorkflow('guid-123', createBuildParameters(), 'main', [])).rejects.toThrow(
+        'Inventory not found: /etc/ansible/hosts',
+      );
+    });
+  });
+
+  describe('runTaskInWorkflow', () => {
+    it('constructs ansible-playbook command with correct variables and returns output', async () => {
+      mockRun.mockResolvedValueOnce('PLAY [build] *****\nok: [server1]\nPLAY RECAP');
+
+      const result = await provider.runTaskInWorkflow(
+        'guid-run1',
+        'unityci/editor:2021.3',
+        'echo build',
+        '/mount',
+        '/workspace',
+        [],
+        [],
+      );
+
+      expect(result).toContain('PLAY [build]');
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain('ansible-playbook');
+      expect(command).toContain('-i "/etc/ansible/hosts"');
+      expect(command).toContain('"/playbooks/unity-build.yml"');
+      expect(command).toContain('--no-color');
+      expect(command).toContain('build_guid');
+      expect(command).toContain('guid-run1');
+      expect(command).toContain('build_image');
+      expect(command).toContain('unityci/editor:2021.3');
+      expect(command).toContain('build_commands');
+      expect(command).toContain('mount_dir');
+      expect(command).toContain('working_dir');
+    });
+
+    it('throws when playbook is not configured', async () => {
+      const params = createBuildParameters({ ansiblePlaybook: '' });
+      provider = new AnsibleProvider(params);
+
+      await expect(provider.runTaskInWorkflow('guid-nopb', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+        'ansiblePlaybook is required',
+      );
+    });
+
+    it('passes environment variables as extra-vars in snake_case', async () => {
+      mockRun.mockResolvedValueOnce('ok');
+
+      const env = [
+        { name: 'UNITY_LICENSE', value: 'lic-data' },
+        { name: 'BUILD_TARGET', value: 'Linux64' },
+      ];
+
+      await provider.runTaskInWorkflow('guid-env', 'img', 'cmd', '/m', '/w', env as any, []);
+
+      const command = mockRun.mock.calls[0][0];
+      // Environment variable names are lowercased as Ansible variables
+      expect(command).toContain('unity_license');
+      expect(command).toContain('lic-data');
+      expect(command).toContain('build_target');
+      expect(command).toContain('Linux64');
+    });
+
+    it('merges user-provided extra vars from JSON string', async () => {
+      const params = createBuildParameters({
+        ansibleExtraVars: JSON.stringify({ custom_var: 'custom_value', another: '42' }),
+      });
+      provider = new AnsibleProvider(params);
+      mockRun.mockResolvedValueOnce('ok');
+
+      await provider.runTaskInWorkflow('guid-extra', 'img', 'cmd', '/m', '/w', [], []);
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain('custom_var');
+      expect(command).toContain('custom_value');
+      expect(command).toContain('another');
+    });
+
+    it('logs warning when extra vars JSON is invalid but continues', async () => {
+      const params = createBuildParameters({ ansibleExtraVars: 'not-valid-json{{{' });
+      provider = new AnsibleProvider(params);
+      mockRun.mockResolvedValueOnce('ok');
+
+      await provider.runTaskInWorkflow('guid-badjson', 'img', 'cmd', '/m', '/w', [], []);
+
+      expect(mockLogWarning).toHaveBeenCalledWith(expect.stringContaining('Failed to parse ansibleExtraVars'));
+    });
+
+    it('includes vault password file flag when configured', async () => {
+      const params = createBuildParameters({ ansibleVaultPassword: '/secure/vault-pass.txt' });
+      provider = new AnsibleProvider(params);
+      mockRun.mockResolvedValueOnce('ok');
+
+      await provider.runTaskInWorkflow('guid-vault', 'img', 'cmd', '/m', '/w', [], []);
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain('--vault-password-file "/secure/vault-pass.txt"');
+    });
+
+    it('does not include vault password flag when not configured', async () => {
+      mockRun.mockResolvedValueOnce('ok');
+
+      await provider.runTaskInWorkflow('guid-novault', 'img', 'cmd', '/m', '/w', [], []);
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).not.toContain('--vault-password-file');
+    });
+
+    it('prefixes secrets as environment variables in the command', async () => {
+      mockRun.mockResolvedValueOnce('ok');
+
+      const secrets = [
+        { ParameterKey: 'key1', EnvironmentVariable: 'SECRET_TOKEN', ParameterValue: 'tok-abc' },
+        { ParameterKey: 'key2', EnvironmentVariable: 'DEPLOY_KEY', ParameterValue: 'dk-xyz' },
+      ];
+
+      await provider.runTaskInWorkflow('guid-secrets', 'img', 'cmd', '/m', '/w', [], secrets as any);
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toMatch(/^SECRET_TOKEN='tok-abc'/);
+      expect(command).toContain("DEPLOY_KEY='dk-xyz'");
+      expect(command).toContain('ansible-playbook');
+    });
+
+    it('throws and logs warning when playbook execution fails', async () => {
+      const execError = new Error('UNREACHABLE! Host unreachable');
+      mockRun.mockRejectedValueOnce(execError);
+
+      await expect(provider.runTaskInWorkflow('guid-hostfail', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+        'UNREACHABLE',
+      );
+
+      expect(mockLogWarning).toHaveBeenCalledWith(expect.stringContaining('Playbook failed'));
+    });
+  });
+
+  describe('cleanupWorkflow', () => {
+    it('completes without error and logs cleanup message', async () => {
+      await provider.cleanupWorkflow(createBuildParameters(), 'main', []);
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('Cleanup complete'));
+    });
+  });
+
+  describe('garbageCollect', () => {
+    it('returns empty string (no-op)', async () => {
+      const result = await provider.garbageCollect('', false, 0, false, false);
+      expect(result).toBe('');
+    });
+  });
+
+  describe('listResources', () => {
+    it('returns inventory path as a resource when configured', async () => {
+      const resources = await provider.listResources();
+
+      expect(resources).toHaveLength(1);
+      expect(resources[0].Name).toBe('/etc/ansible/hosts');
+    });
+
+    it('returns empty array when inventory is not configured', async () => {
+      const params = createBuildParameters({ ansibleInventory: '' });
+      provider = new AnsibleProvider(params);
+
+      const resources = await provider.listResources();
+      expect(resources).toEqual([]);
+    });
+  });
+
+  describe('listWorkflow', () => {
+    it('returns empty array (not implemented)', async () => {
+      const workflows = await provider.listWorkflow();
+      expect(workflows).toEqual([]);
+    });
+  });
+
+  describe('watchWorkflow', () => {
+    it('returns empty string (not implemented)', async () => {
+      const result = await provider.watchWorkflow();
+      expect(result).toBe('');
+    });
+  });
+});

src/model/orchestrator/providers/ansible/index.ts

@@ -0,0 +1,197 @@
+import * as core from '@actions/core';
+import BuildParameters from '../../../build-parameters';
+import { OrchestratorSystem } from '../../services/core/orchestrator-system';
+import OrchestratorEnvironmentVariable from '../../options/orchestrator-environment-variable';
+import OrchestratorLogger from '../../services/core/orchestrator-logger';
+import { ProviderInterface } from '../provider-interface';
+import OrchestratorSecret from '../../options/orchestrator-secret';
+import { ProviderResource } from '../provider-resource';
+import { ProviderWorkflow } from '../provider-workflow';
+
+/**
+ * Ansible provider — executes Unity builds via Ansible playbooks
+ * against managed inventory.
+ *
+ * Use case: Teams with existing Ansible infrastructure for server
+ * management who want to leverage their inventory for build distribution.
+ */
+class AnsibleProvider implements ProviderInterface {
+  private buildParameters: BuildParameters;
+  private inventory: string;
+  private playbook: string;
+  private extraVariables: string;
+  private vaultPassword: string;
+
+  constructor(buildParameters: BuildParameters) {
+    this.buildParameters = buildParameters;
+    this.inventory = buildParameters.ansibleInventory || '';
+    this.playbook = buildParameters.ansiblePlaybook || '';
+    this.extraVariables = buildParameters.ansibleExtraVars || '';
+    this.vaultPassword = buildParameters.ansibleVaultPassword || '';
+  }
+
+  async setupWorkflow(
+    // eslint-disable-next-line no-unused-vars
+    buildGuid: string,
+    // eslint-disable-next-line no-unused-vars
+    buildParameters: BuildParameters,
+    // eslint-disable-next-line no-unused-vars
+    branchName: string,
+    // eslint-disable-next-line no-unused-vars
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ): Promise<void> {
+    OrchestratorLogger.log(`[Ansible] Setting up playbook execution`);
+
+    if (!this.inventory) {
+      throw new Error('ansibleInventory is required for the ansible provider');
+    }
+
+    // Verify ansible is available
+    try {
+      const version = await OrchestratorSystem.Run('ansible --version | head -1');
+      OrchestratorLogger.log(`[Ansible] ${version.trim()}`);
+    } catch (error: any) {
+      throw new Error(`Ansible not found on PATH: ${error.message || error}`);
+    }
+
+    // Verify ansible-playbook binary exists (may be separate from ansible)
+    try {
+      await OrchestratorSystem.Run('command -v ansible-playbook || which ansible-playbook || where ansible-playbook');
+      OrchestratorLogger.log(`[Ansible] ansible-playbook binary verified`);
+    } catch (error: any) {
+      core.error('ansible-playbook not found. Install Ansible or ensure it is in PATH.');
+      throw new Error(`ansible-playbook not found on PATH: ${error.message || error}`);
+    }
+
+    // Verify inventory exists
+    try {
+      await OrchestratorSystem.Run(`test -e "${this.inventory}"`);
+    } catch {
+      throw new Error(`Inventory not found: ${this.inventory}`);
+    }
+  }
+
+  async runTaskInWorkflow(
+    buildGuid: string,
+    image: string,
+    commands: string,
+    mountdir: string,
+    workingdir: string,
+    environment: OrchestratorEnvironmentVariable[],
+    secrets: OrchestratorSecret[],
+  ): Promise<string> {
+    OrchestratorLogger.log(`[Ansible] Running playbook against inventory ${this.inventory}`);
+
+    if (!this.playbook) {
+      throw new Error(
+        'ansiblePlaybook is required — no default playbook is provided yet. ' +
+          'Provide a playbook that accepts build_guid, build_image, build_commands, mount_dir, and working_dir variables.',
+      );
+    }
+
+    // Build extra-vars JSON
+    // These use snake_case because they are Ansible variable names passed to playbooks
+    const playbookVariables: Record<string, string> = {
+      // eslint-disable-next-line camelcase
+      build_guid: buildGuid,
+      // eslint-disable-next-line camelcase
+      build_image: image,
+      // eslint-disable-next-line camelcase
+      build_commands: commands,
+      // eslint-disable-next-line camelcase
+      mount_dir: mountdir,
+      // eslint-disable-next-line camelcase
+      working_dir: workingdir,
+    };
+
+    for (const element of environment) {
+      playbookVariables[element.name.toLowerCase()] = element.value;
+    }
+
+    // Merge user-provided extra vars
+    if (this.extraVariables) {
+      try {
+        const userVariables = JSON.parse(this.extraVariables);
+        Object.assign(playbookVariables, userVariables);
+      } catch {
+        OrchestratorLogger.logWarning(`[Ansible] Failed to parse ansibleExtraVars as JSON, using as-is`);
+      }
+    }
+
+    const extraVariablesJson = JSON.stringify(playbookVariables).replace(/'/g, "'\\''");
+
+    // Build ansible-playbook command
+    const commandParts = [
+      'ansible-playbook',
+      `-i "${this.inventory}"`,
+      `"${this.playbook}"`,
+      `-e '${extraVariablesJson}'`,
+      '--no-color',
+    ];
+
+    if (this.vaultPassword) {
+      commandParts.push(`--vault-password-file "${this.vaultPassword}"`);
+    }
+
+    // Add secret variables as extra environment
+    const environmentPrefix = secrets
+      .map((secret) => `${secret.EnvironmentVariable}='${secret.ParameterValue}'`)
+      .join(' ');
+
+    const fullCommand = environmentPrefix ? `${environmentPrefix} ${commandParts.join(' ')}` : commandParts.join(' ');
+
+    try {
+      const output = await OrchestratorSystem.Run(fullCommand);
+      OrchestratorLogger.log(`[Ansible] Playbook completed successfully`);
+
+      return output;
+    } catch (error: any) {
+      OrchestratorLogger.logWarning(`[Ansible] Playbook failed: ${error.message || error}`);
+      throw error;
+    }
+  }
+
+  async cleanupWorkflow(
+    // eslint-disable-next-line no-unused-vars
+    buildParameters: BuildParameters,
+    // eslint-disable-next-line no-unused-vars
+    branchName: string,
+    // eslint-disable-next-line no-unused-vars
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ): Promise<void> {
+    OrchestratorLogger.log(`[Ansible] Cleanup complete`);
+  }
+
+  async garbageCollect(
+    // eslint-disable-next-line no-unused-vars
+    filter: string,
+    // eslint-disable-next-line no-unused-vars
+    previewOnly: boolean,
+    // eslint-disable-next-line no-unused-vars
+    olderThan: Number,
+    // eslint-disable-next-line no-unused-vars
+    fullCache: boolean,
+    // eslint-disable-next-line no-unused-vars
+    baseDependencies: boolean,
+  ): Promise<string> {
+    return '';
+  }
+
+  async listResources(): Promise<ProviderResource[]> {
+    if (!this.inventory) return [];
+
+    const resource = new ProviderResource();
+    resource.Name = this.inventory;
+
+    return [resource];
+  }
+
+  async listWorkflow(): Promise<ProviderWorkflow[]> {
+    return [];
+  }
+
+  async watchWorkflow(): Promise<string> {
+    return '';
+  }
+}
+export default AnsibleProvider;

src/model/orchestrator/providers/github-actions/github-actions-provider.test.ts

@@ -0,0 +1,333 @@
+import GitHubActionsProvider from '.';
+import BuildParameters from '../../../build-parameters';
+import { OrchestratorSystem } from '../../services/core/orchestrator-system';
+import OrchestratorLogger from '../../services/core/orchestrator-logger';
+import * as core from '@actions/core';
+
+jest.mock('../../services/core/orchestrator-system');
+jest.mock('../../services/core/orchestrator-logger');
+jest.mock('@actions/core', () => ({
+  info: jest.fn(),
+  warning: jest.fn(),
+  error: jest.fn(),
+  setOutput: jest.fn(),
+  getInput: jest.fn(() => ''),
+}));
+
+const mockRun = OrchestratorSystem.Run as jest.MockedFunction<typeof OrchestratorSystem.Run>;
+const mockLog = OrchestratorLogger.log as jest.MockedFunction<typeof OrchestratorLogger.log>;
+
+function createBuildParameters(overrides: Partial<BuildParameters> = {}): BuildParameters {
+  return {
+    githubActionsRepo: 'owner/repo',
+    githubActionsWorkflow: 'build.yml',
+    githubActionsToken: 'ghp_test_token_123',
+    githubActionsRef: 'main',
+    ...overrides,
+  } as BuildParameters;
+}
+
+// Override setTimeout to execute callbacks immediately so polling loops complete fast
+const originalSetTimeout = global.setTimeout;
+beforeAll(() => {
+  global.setTimeout = ((fn: (...args: any[]) => void, _ms?: number, ...args: any[]) => {
+    return originalSetTimeout(fn, 0, ...args);
+  }) as any;
+});
+afterAll(() => {
+  global.setTimeout = originalSetTimeout;
+});
+
+describe('GitHubActionsProvider', () => {
+  let provider: GitHubActionsProvider;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    provider = new GitHubActionsProvider(createBuildParameters());
+  });
+
+  describe('constructor', () => {
+    it('sets default ref to main when not specified', () => {
+      const params = createBuildParameters({ githubActionsRef: undefined });
+      const p = new GitHubActionsProvider(params);
+      expect(p).toBeDefined();
+    });
+
+    it('uses provided ref when specified', () => {
+      const params = createBuildParameters({ githubActionsRef: 'develop' });
+      const p = new GitHubActionsProvider(params);
+      expect(p).toBeDefined();
+    });
+  });
+
+  describe('setupWorkflow', () => {
+    it('verifies workflow exists via gh api and logs success', async () => {
+      mockRun.mockResolvedValueOnce('12345\n');
+
+      await provider.setupWorkflow('guid-123', createBuildParameters(), 'main', []);
+
+      expect(mockRun).toHaveBeenCalledTimes(1);
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain('gh api repos/owner/repo/actions/workflows/build.yml');
+      expect(command).toContain("--jq '.id'");
+      expect(command).toContain('GH_TOKEN=ghp_test_token_123');
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('Workflow verified'));
+    });
+
+    it('throws when repo is not configured', async () => {
+      const params = createBuildParameters({ githubActionsRepo: '' });
+      provider = new GitHubActionsProvider(params);
+
+      await expect(provider.setupWorkflow('guid-123', params, 'main', [])).rejects.toThrow(
+        'githubActionsRepo and githubActionsWorkflow are required',
+      );
+    });
+
+    it('throws when workflow is not configured', async () => {
+      const params = createBuildParameters({ githubActionsWorkflow: '' });
+      provider = new GitHubActionsProvider(params);
+
+      await expect(provider.setupWorkflow('guid-123', params, 'main', [])).rejects.toThrow(
+        'githubActionsRepo and githubActionsWorkflow are required',
+      );
+    });
+
+    it('throws when token is missing', async () => {
+      const params = createBuildParameters({ githubActionsToken: '' });
+      provider = new GitHubActionsProvider(params);
+
+      await expect(provider.setupWorkflow('guid-123', params, 'main', [])).rejects.toThrow(
+        'githubActionsToken is required',
+      );
+    });
+
+    it('throws descriptive error when workflow verification fails', async () => {
+      mockRun.mockRejectedValueOnce(new Error('Not Found'));
+
+      await expect(provider.setupWorkflow('guid-123', createBuildParameters(), 'main', [])).rejects.toThrow(
+        'Failed to verify workflow build.yml in owner/repo',
+      );
+    });
+  });
+
+  describe('runTaskInWorkflow', () => {
+    it('dispatches workflow with correct inputs and returns logs on success', async () => {
+      // Dispatch succeeds
+      mockRun.mockResolvedValueOnce('');
+      // First poll finds the run
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 99001, status: 'in_progress' }));
+      // Status poll returns completed
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'completed', conclusion: 'success' }));
+      // Log fetch succeeds
+      mockRun.mockResolvedValueOnce('Build output log content here');
+
+      const result = await provider.runTaskInWorkflow(
+        'guid-abc',
+        'unityci/editor:2021.3',
+        'echo build',
+        '/mount',
+        '/work',
+        [],
+        [],
+      );
+
+      expect(result).toBe('Build output log content here');
+
+      // Verify dispatch command
+      const dispatchCommand = mockRun.mock.calls[0][0];
+      expect(dispatchCommand).toContain('dispatches');
+      expect(dispatchCommand).toContain('-X POST');
+      expect(dispatchCommand).toContain("ref='main'");
+
+      // Verify log fetch command
+      const logCommand = mockRun.mock.calls[3][0];
+      expect(logCommand).toContain('gh run view');
+      expect(logCommand).toContain('--log');
+      expect(logCommand).toContain('--repo owner/repo');
+    });
+
+    it('base64 encodes commands in the inputs payload', async () => {
+      mockRun.mockResolvedValueOnce(''); // dispatch
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 100, status: 'completed' })); // run found
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'completed', conclusion: 'success' })); // status
+      mockRun.mockResolvedValueOnce('logs'); // logs
+
+      await provider.runTaskInWorkflow('guid-1', 'image:latest', 'echo hello && build', '/mnt', '/w', [], []);
+
+      const dispatchCommand = mockRun.mock.calls[0][0];
+      const expectedB64 = Buffer.from('echo hello && build').toString('base64');
+      expect(dispatchCommand).toContain(expectedB64);
+    });
+
+    it('includes environment variables as JSON input', async () => {
+      mockRun.mockResolvedValueOnce(''); // dispatch
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 200, status: 'completed' })); // run found
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'completed', conclusion: 'success' })); // status
+      mockRun.mockResolvedValueOnce('logs'); // logs
+
+      const env = [
+        { name: 'UNITY_LICENSE', value: 'license-data' },
+        { name: 'BUILD_TARGET', value: 'StandaloneWindows64' },
+      ];
+
+      await provider.runTaskInWorkflow('guid-2', 'img', 'cmd', '/m', '/w', env as any, []);
+
+      const dispatchCommand = mockRun.mock.calls[0][0];
+      expect(dispatchCommand).toContain('UNITY_LICENSE');
+      expect(dispatchCommand).toContain('BUILD_TARGET');
+    });
+
+    it('throws when workflow dispatch fails', async () => {
+      mockRun.mockRejectedValueOnce(new Error('403 Forbidden'));
+
+      await expect(provider.runTaskInWorkflow('guid-err', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+        'Failed to dispatch workflow',
+      );
+    });
+
+    it('throws when workflow run does not start within timeout', async () => {
+      mockRun.mockResolvedValueOnce(''); // dispatch succeeds
+
+      // All 30 poll attempts fail
+      for (let i = 0; i < 30; i++) {
+        mockRun.mockRejectedValueOnce(new Error('not found'));
+      }
+
+      await expect(provider.runTaskInWorkflow('guid-timeout', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+        'Workflow run did not start within',
+      );
+    });
+
+    it('throws when workflow run fails with non-success conclusion', async () => {
+      mockRun.mockResolvedValueOnce(''); // dispatch
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 300, status: 'in_progress' })); // run appears
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'completed', conclusion: 'failure' })); // fails
+
+      await expect(provider.runTaskInWorkflow('guid-fail', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+        'Workflow run failed with conclusion: failure',
+      );
+    });
+
+    it('returns fallback message when log fetch fails', async () => {
+      mockRun.mockResolvedValueOnce(''); // dispatch
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 400, status: 'completed' })); // run appears
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'completed', conclusion: 'success' })); // completes
+      mockRun.mockRejectedValueOnce(new Error('logs unavailable')); // log fetch fails
+
+      const result = await provider.runTaskInWorkflow('guid-nologs', 'img', 'cmd', '/m', '/w', [], []);
+
+      expect(result).toContain('completed successfully');
+      expect(result).toContain('logs unavailable');
+    });
+
+    it('handles cancelled workflow run conclusion', async () => {
+      mockRun.mockResolvedValueOnce(''); // dispatch
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 500, status: 'in_progress' })); // run
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'completed', conclusion: 'cancelled' })); // cancelled
+
+      await expect(provider.runTaskInWorkflow('guid-cancel', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+        'Workflow run failed with conclusion: cancelled',
+      );
+    });
+
+    it('throws timeout error when polling exceeds maximum duration', async () => {
+      // Save real Date.now
+      const realDateNow = Date.now;
+      let callCount = 0;
+
+      // dispatch succeeds
+      mockRun.mockResolvedValueOnce('');
+      // run appears
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 600, status: 'in_progress' }));
+      // Status always returns in_progress
+      mockRun.mockImplementation(() => Promise.resolve(JSON.stringify({ status: 'in_progress' })));
+
+      // First call returns normal time, subsequent calls simulate 5 hours elapsed
+      Date.now = () => {
+        callCount++;
+        if (callCount <= 2) return realDateNow.call(Date);
+        return realDateNow.call(Date) + 14_400_001; // 4 hours + 1ms
+      };
+
+      try {
+        await expect(provider.runTaskInWorkflow('guid-poll-timeout', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+          'did not complete within 4 hours',
+        );
+
+        expect(core.error).toHaveBeenCalledWith(expect.stringContaining('did not complete within 4 hours'));
+      } finally {
+        Date.now = realDateNow;
+      }
+    });
+  });
+
+  describe('cleanupWorkflow', () => {
+    it('completes without error and logs cleanup message', async () => {
+      await provider.cleanupWorkflow(createBuildParameters(), 'main', []);
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('Cleanup complete'));
+    });
+  });
+
+  describe('garbageCollect', () => {
+    it('returns empty string (no-op)', async () => {
+      const result = await provider.garbageCollect('', false, 0, false, false);
+      expect(result).toBe('');
+    });
+  });
+
+  describe('listResources', () => {
+    it('returns runner names from the repository', async () => {
+      mockRun.mockResolvedValueOnce('runner-1\nrunner-2\nrunner-3\n');
+
+      const resources = await provider.listResources();
+
+      expect(resources).toHaveLength(3);
+      expect(resources[0].Name).toBe('runner-1');
+      expect(resources[1].Name).toBe('runner-2');
+      expect(resources[2].Name).toBe('runner-3');
+    });
+
+    it('returns empty array when repo or token is missing', async () => {
+      const params = createBuildParameters({ githubActionsRepo: '' });
+      provider = new GitHubActionsProvider(params);
+
+      const resources = await provider.listResources();
+      expect(resources).toEqual([]);
+      expect(mockRun).not.toHaveBeenCalled();
+    });
+
+    it('returns empty array when API call fails', async () => {
+      mockRun.mockRejectedValueOnce(new Error('API error'));
+
+      const resources = await provider.listResources();
+      expect(resources).toEqual([]);
+    });
+  });
+
+  describe('listWorkflow', () => {
+    it('returns recent workflow run names', async () => {
+      mockRun.mockResolvedValueOnce('Build Unity\nRun Tests\n');
+
+      const workflows = await provider.listWorkflow();
+
+      expect(workflows).toHaveLength(2);
+      expect(workflows[0].Name).toBe('Build Unity');
+      expect(workflows[1].Name).toBe('Run Tests');
+    });
+
+    it('returns empty array when credentials missing', async () => {
+      const params = createBuildParameters({ githubActionsToken: '' });
+      provider = new GitHubActionsProvider(params);
+
+      const workflows = await provider.listWorkflow();
+      expect(workflows).toEqual([]);
+    });
+  });
+
+  describe('watchWorkflow', () => {
+    it('returns message when no active run exists', async () => {
+      const result = await provider.watchWorkflow();
+      expect(result).toBe('No active run to watch');
+    });
+  });
+});

src/model/orchestrator/providers/github-actions/index.ts

@@ -0,0 +1,284 @@
+import * as core from '@actions/core';
+import BuildParameters from '../../../build-parameters';
+import { OrchestratorSystem } from '../../services/core/orchestrator-system';
+import OrchestratorEnvironmentVariable from '../../options/orchestrator-environment-variable';
+import OrchestratorLogger from '../../services/core/orchestrator-logger';
+import { ProviderInterface } from '../provider-interface';
+import OrchestratorSecret from '../../options/orchestrator-secret';
+import { ProviderResource } from '../provider-resource';
+import { ProviderWorkflow } from '../provider-workflow';
+
+const MAX_POLLING_DURATION_MS = 14_400_000; // 4 hours
+
+/**
+ * GitHub Actions provider — triggers builds as workflow_dispatch events
+ * on a target repository via the GitHub API.
+ *
+ * Use case: Distribute builds across orgs, use specialized runner pools,
+ * or trigger builds in repos with Unity licenses.
+ */
+class GitHubActionsProvider implements ProviderInterface {
+  private buildParameters: BuildParameters;
+  private repo: string;
+  private workflow: string;
+  private token: string;
+  private ref: string;
+  private runId: number = 0;
+
+  constructor(buildParameters: BuildParameters) {
+    this.buildParameters = buildParameters;
+    this.repo = buildParameters.githubActionsRepo || '';
+    this.workflow = buildParameters.githubActionsWorkflow || '';
+    this.token = buildParameters.githubActionsToken || '';
+    this.ref = buildParameters.githubActionsRef || 'main';
+  }
+
+  async setupWorkflow(
+    // eslint-disable-next-line no-unused-vars
+    buildGuid: string,
+    // eslint-disable-next-line no-unused-vars
+    buildParameters: BuildParameters,
+    // eslint-disable-next-line no-unused-vars
+    branchName: string,
+    // eslint-disable-next-line no-unused-vars
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ): Promise<void> {
+    OrchestratorLogger.log(`[GitHubActions] Setting up workflow dispatch to ${this.repo}`);
+
+    if (!this.repo || !this.workflow) {
+      throw new Error('githubActionsRepo and githubActionsWorkflow are required for the github-actions provider');
+    }
+
+    if (!this.token) {
+      throw new Error('githubActionsToken is required (PAT with actions:write scope)');
+    }
+
+    // Verify repository and workflow exist
+    try {
+      const result = await OrchestratorSystem.Run(
+        `GH_TOKEN=${this.token} gh api repos/${this.repo}/actions/workflows/${this.workflow} --jq '.id'`,
+      );
+      OrchestratorLogger.log(`[GitHubActions] Workflow verified: ${this.workflow} (ID: ${result.trim()})`);
+    } catch (error: any) {
+      throw new Error(`Failed to verify workflow ${this.workflow} in ${this.repo}: ${error.message || error}`);
+    }
+  }
+
+  async runTaskInWorkflow(
+    buildGuid: string,
+    image: string,
+    commands: string,
+    mountdir: string,
+    workingdir: string,
+    environment: OrchestratorEnvironmentVariable[],
+    // eslint-disable-next-line no-unused-vars
+    secrets: OrchestratorSecret[],
+  ): Promise<string> {
+    OrchestratorLogger.log(`[GitHubActions] Dispatching workflow ${this.workflow} on ${this.repo}@${this.ref}`);
+
+    // Build inputs payload
+    const inputs: Record<string, string> = {
+      buildGuid,
+      image,
+      commands: Buffer.from(commands).toString('base64'),
+      mountdir,
+      workingdir,
+    };
+
+    // Add environment variables as a JSON input
+    if (environment.length > 0) {
+      inputs.environment = JSON.stringify(environment.map((element) => ({ name: element.name, value: element.value })));
+    }
+
+    // Record the time before dispatch to identify the run
+    const beforeDispatch = new Date().toISOString();
+
+    // Dispatch the workflow
+    const inputsJson = JSON.stringify(inputs).replace(/'/g, "'\\''");
+    try {
+      await OrchestratorSystem.Run(
+        `GH_TOKEN=${this.token} gh api repos/${this.repo}/actions/workflows/${this.workflow}/dispatches -X POST -f ref='${this.ref}' -f "inputs=${inputsJson}"`,
+      );
+      OrchestratorLogger.log(`[GitHubActions] Workflow dispatched`);
+    } catch (error: any) {
+      throw new Error(`Failed to dispatch workflow: ${error.message || error}`);
+    }
+
+    // Poll for the run to appear
+    OrchestratorLogger.log(`[GitHubActions] Waiting for workflow run to start...`);
+    let attempts = 0;
+    const maxAttempts = 30;
+
+    while (attempts < maxAttempts) {
+      attempts++;
+      await new Promise((resolve) => setTimeout(resolve, 10_000));
+
+      try {
+        const runsJson = await OrchestratorSystem.Run(
+          `GH_TOKEN=${this.token} gh api "repos/${this.repo}/actions/workflows/${this.workflow}/runs?created=>${beforeDispatch}&per_page=5" --jq '.workflow_runs[0] | {id, status, conclusion}'`,
+          true,
+        );
+
+        const run = JSON.parse(runsJson.trim());
+        if (run.id) {
+          this.runId = run.id;
+          OrchestratorLogger.log(`[GitHubActions] Run started: ${this.runId} (status: ${run.status})`);
+          break;
+        }
+      } catch {
+        // Run not yet available
+      }
+    }
+
+    if (!this.runId) {
+      throw new Error(`Workflow run did not start within ${maxAttempts * 10}s`);
+    }
+
+    // Poll until completion and stream logs (with maximum duration guard)
+    let status = 'in_progress';
+    const pollingStartTime = Date.now();
+    const runUrl = `https://github.com/${this.repo}/actions/runs/${this.runId}`;
+
+    while (status === 'in_progress' || status === 'queued') {
+      const elapsedMs = Date.now() - pollingStartTime;
+      if (elapsedMs >= MAX_POLLING_DURATION_MS) {
+        const hours = Math.round(MAX_POLLING_DURATION_MS / 3_600_000);
+        const message = `GitHub Actions workflow did not complete within ${hours} hours. Run URL: ${runUrl}`;
+        core.error(message);
+        throw new Error(message);
+      }
+
+      await new Promise((resolve) => setTimeout(resolve, 15_000));
+
+      try {
+        const statusJson = await OrchestratorSystem.Run(
+          `GH_TOKEN=${this.token} gh api repos/${this.repo}/actions/runs/${this.runId} --jq '{status, conclusion}'`,
+          true,
+        );
+
+        const result = JSON.parse(statusJson.trim());
+        status = result.status;
+
+        if (status === 'completed') {
+          OrchestratorLogger.log(`[GitHubActions] Run ${this.runId} completed: ${result.conclusion}`);
+
+          if (result.conclusion !== 'success') {
+            throw new Error(`Workflow run failed with conclusion: ${result.conclusion}`);
+          }
+
+          break;
+        }
+
+        OrchestratorLogger.log(`[GitHubActions] Run ${this.runId} status: ${status}`);
+      } catch (error: any) {
+        if (error.message && error.message.includes('conclusion')) {
+          throw error;
+        }
+        if (error.message && error.message.includes('did not complete within')) {
+          throw error;
+        }
+        OrchestratorLogger.logWarning(`[GitHubActions] Status check error: ${error.message || error}`);
+      }
+    }
+
+    // Fetch logs
+    try {
+      const logs = await OrchestratorSystem.Run(
+        `GH_TOKEN=${this.token} gh run view ${this.runId} --repo ${this.repo} --log`,
+        true,
+      );
+
+      return logs;
+    } catch {
+      return `Run ${this.runId} completed successfully (logs unavailable)`;
+    }
+  }
+
+  async cleanupWorkflow(
+    // eslint-disable-next-line no-unused-vars
+    buildParameters: BuildParameters,
+    // eslint-disable-next-line no-unused-vars
+    branchName: string,
+    // eslint-disable-next-line no-unused-vars
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ): Promise<void> {
+    OrchestratorLogger.log(`[GitHubActions] Cleanup complete (no resources to tear down)`);
+  }
+
+  async garbageCollect(
+    // eslint-disable-next-line no-unused-vars
+    filter: string,
+    // eslint-disable-next-line no-unused-vars
+    previewOnly: boolean,
+    // eslint-disable-next-line no-unused-vars
+    olderThan: Number,
+    // eslint-disable-next-line no-unused-vars
+    fullCache: boolean,
+    // eslint-disable-next-line no-unused-vars
+    baseDependencies: boolean,
+  ): Promise<string> {
+    return '';
+  }
+
+  async listResources(): Promise<ProviderResource[]> {
+    if (!this.repo || !this.token) return [];
+
+    try {
+      const runnersJson = await OrchestratorSystem.Run(
+        `GH_TOKEN=${this.token} gh api repos/${this.repo}/actions/runners --jq '.runners[] | .name'`,
+        true,
+      );
+
+      return runnersJson
+        .trim()
+        .split('\n')
+        .filter(Boolean)
+        .map((name) => {
+          const resource = new ProviderResource();
+          resource.Name = name.trim();
+
+          return resource;
+        });
+    } catch {
+      return [];
+    }
+  }
+
+  async listWorkflow(): Promise<ProviderWorkflow[]> {
+    if (!this.repo || !this.token) return [];
+
+    try {
+      const runsJson = await OrchestratorSystem.Run(
+        `GH_TOKEN=${this.token} gh api repos/${this.repo}/actions/runs?per_page=10 --jq '.workflow_runs[] | .name'`,
+        true,
+      );
+
+      return runsJson
+        .trim()
+        .split('\n')
+        .filter(Boolean)
+        .map((name) => {
+          const workflow = new ProviderWorkflow();
+          workflow.Name = name.trim();
+
+          return workflow;
+        });
+    } catch {
+      return [];
+    }
+  }
+
+  async watchWorkflow(): Promise<string> {
+    if (!this.runId) return 'No active run to watch';
+
+    try {
+      return await OrchestratorSystem.Run(
+        `GH_TOKEN=${this.token} gh run watch ${this.runId} --repo ${this.repo}`,
+        true,
+      );
+    } catch {
+      return '';
+    }
+  }
+}
+export default GitHubActionsProvider;

src/model/orchestrator/providers/gitlab-ci/gitlab-ci-provider.test.ts

@@ -0,0 +1,329 @@
+import GitLabCIProvider from '.';
+import BuildParameters from '../../../build-parameters';
+import { OrchestratorSystem } from '../../services/core/orchestrator-system';
+import OrchestratorLogger from '../../services/core/orchestrator-logger';
+import * as core from '@actions/core';
+
+jest.mock('../../services/core/orchestrator-system');
+jest.mock('../../services/core/orchestrator-logger');
+jest.mock('@actions/core', () => ({
+  info: jest.fn(),
+  warning: jest.fn(),
+  error: jest.fn(),
+  setOutput: jest.fn(),
+  getInput: jest.fn(() => ''),
+}));
+
+const mockRun = OrchestratorSystem.Run as jest.MockedFunction<typeof OrchestratorSystem.Run>;
+const mockLog = OrchestratorLogger.log as jest.MockedFunction<typeof OrchestratorLogger.log>;
+const mockLogWarning = OrchestratorLogger.logWarning as jest.MockedFunction<typeof OrchestratorLogger.logWarning>;
+
+function createBuildParameters(overrides: Partial<BuildParameters> = {}): BuildParameters {
+  return {
+    gitlabProjectId: 'my-group/my-project',
+    gitlabTriggerToken: 'glptt-test-token-456',
+    gitlabApiUrl: 'https://gitlab.example.com',
+    gitlabRef: 'main',
+    ...overrides,
+  } as BuildParameters;
+}
+
+// Override setTimeout to execute callbacks immediately so polling loops complete fast
+const originalSetTimeout = global.setTimeout;
+beforeAll(() => {
+  global.setTimeout = ((fn: (...args: any[]) => void, _ms?: number, ...args: any[]) => {
+    return originalSetTimeout(fn, 0, ...args);
+  }) as any;
+});
+afterAll(() => {
+  global.setTimeout = originalSetTimeout;
+});
+
+describe('GitLabCIProvider', () => {
+  let provider: GitLabCIProvider;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    provider = new GitLabCIProvider(createBuildParameters());
+  });
+
+  describe('constructor', () => {
+    it('strips trailing slashes from apiUrl', () => {
+      const params = createBuildParameters({ gitlabApiUrl: 'https://gitlab.example.com///' });
+      const p = new GitLabCIProvider(params);
+      expect(p).toBeDefined();
+    });
+
+    it('defaults apiUrl to https://gitlab.com when not provided', () => {
+      const params = createBuildParameters({ gitlabApiUrl: undefined });
+      const p = new GitLabCIProvider(params);
+      expect(p).toBeDefined();
+    });
+
+    it('defaults ref to main when not provided', () => {
+      const params = createBuildParameters({ gitlabRef: undefined });
+      const p = new GitLabCIProvider(params);
+      expect(p).toBeDefined();
+    });
+  });
+
+  describe('setupWorkflow', () => {
+    it('verifies project access via curl and logs success', async () => {
+      mockRun.mockResolvedValueOnce('');
+
+      await provider.setupWorkflow('guid-123', createBuildParameters(), 'main', []);
+
+      expect(mockRun).toHaveBeenCalledTimes(1);
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain('curl -sf');
+      expect(command).toContain('PRIVATE-TOKEN: glptt-test-token-456');
+      expect(command).toContain('gitlab.example.com/api/v4/projects/');
+      expect(command).toContain(encodeURIComponent('my-group/my-project'));
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('Project access verified'));
+    });
+
+    it('throws when projectId is not configured', async () => {
+      const params = createBuildParameters({ gitlabProjectId: '' });
+      provider = new GitLabCIProvider(params);
+
+      await expect(provider.setupWorkflow('guid-123', params, 'main', [])).rejects.toThrow(
+        'gitlabProjectId and gitlabTriggerToken are required',
+      );
+    });
+
+    it('throws when triggerToken is not configured', async () => {
+      const params = createBuildParameters({ gitlabTriggerToken: '' });
+      provider = new GitLabCIProvider(params);
+
+      await expect(provider.setupWorkflow('guid-123', params, 'main', [])).rejects.toThrow(
+        'gitlabProjectId and gitlabTriggerToken are required',
+      );
+    });
+
+    it('throws descriptive error when project access check fails', async () => {
+      mockRun.mockRejectedValueOnce(new Error('401 Unauthorized'));
+
+      await expect(provider.setupWorkflow('guid-123', createBuildParameters(), 'main', [])).rejects.toThrow(
+        'Failed to access GitLab project my-group/my-project',
+      );
+    });
+  });
+
+  describe('runTaskInWorkflow', () => {
+    it('triggers pipeline and returns job logs on success', async () => {
+      // Pipeline trigger response
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 5001, status: 'pending' }));
+      // Status poll returns success
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'success' }));
+      // Jobs list
+      mockRun.mockResolvedValueOnce(
+        JSON.stringify([
+          { id: 10001, name: 'build-unity', status: 'success' },
+          { id: 10002, name: 'test-unity', status: 'success' },
+        ]),
+      );
+      // Job traces
+      mockRun.mockResolvedValueOnce('Building Unity project...\nDone.');
+      mockRun.mockResolvedValueOnce('Running tests...\nAll passed.');
+
+      const result = await provider.runTaskInWorkflow(
+        'guid-gl1',
+        'unityci/editor:2021.3',
+        'echo build',
+        '/mount',
+        '/work',
+        [],
+        [],
+      );
+
+      expect(result).toContain('build-unity');
+      expect(result).toContain('test-unity');
+      expect(result).toContain('Building Unity project');
+      expect(result).toContain('Running tests');
+
+      // Verify trigger command
+      const triggerCommand = mockRun.mock.calls[0][0];
+      expect(triggerCommand).toContain('trigger/pipeline');
+      expect(triggerCommand).toContain(`token=${createBuildParameters().gitlabTriggerToken}`);
+      expect(triggerCommand).toContain('ref=main');
+    });
+
+    it('passes build variables including base64-encoded commands', async () => {
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 5002, status: 'success' }));
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'success' }));
+      mockRun.mockResolvedValueOnce(JSON.stringify([]));
+
+      await provider.runTaskInWorkflow(
+        'guid-vars',
+        'ubuntu:20.04',
+        'make build',
+        '/mnt/data',
+        '/workspace',
+        [{ name: 'UNITY_VERSION', value: '2021.3.1f1' } as any],
+        [],
+      );
+
+      const triggerCommand = mockRun.mock.calls[0][0];
+      const expectedB64 = Buffer.from('make build').toString('base64');
+      expect(triggerCommand).toContain(`variables[BUILD_COMMANDS]=${expectedB64}`);
+      expect(triggerCommand).toContain('variables[BUILD_GUID]=guid-vars');
+      expect(triggerCommand).toContain('variables[BUILD_IMAGE]=ubuntu:20.04');
+      expect(triggerCommand).toContain('variables[MOUNT_DIR]=/mnt/data');
+      expect(triggerCommand).toContain('variables[WORKING_DIR]=/workspace');
+      expect(triggerCommand).toContain('variables[UNITY_VERSION]=2021.3.1f1');
+    });
+
+    it('throws when pipeline trigger fails', async () => {
+      mockRun.mockRejectedValueOnce(new Error('404 Not Found'));
+
+      await expect(provider.runTaskInWorkflow('guid-err', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+        'Failed to trigger pipeline',
+      );
+    });
+
+    it('throws when pipeline finishes with failure status', async () => {
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 5003, status: 'pending' }));
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'failed' }));
+
+      await expect(provider.runTaskInWorkflow('guid-fail', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+        'Pipeline 5003 finished with status: failed',
+      );
+    });
+
+    it('throws when pipeline is canceled', async () => {
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 5004, status: 'pending' }));
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'canceled' }));
+
+      await expect(provider.runTaskInWorkflow('guid-cancel', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+        'Pipeline 5004 finished with status: canceled',
+      );
+    });
+
+    it('handles job log fetch failures gracefully', async () => {
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 5005, status: 'success' }));
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'success' }));
+      mockRun.mockResolvedValueOnce(JSON.stringify([{ id: 20001, name: 'build', status: 'success' }]));
+      // Job trace fetch fails
+      mockRun.mockRejectedValueOnce(new Error('trace unavailable'));
+
+      const result = await provider.runTaskInWorkflow('guid-nologs', 'img', 'cmd', '/m', '/w', [], []);
+
+      expect(result).toContain('build');
+      expect(result).toContain('logs unavailable');
+    });
+
+    it('returns fallback message when entire job fetch fails', async () => {
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 5006, status: 'success' }));
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'success' }));
+      // Jobs list fails
+      mockRun.mockRejectedValueOnce(new Error('API error'));
+
+      const result = await provider.runTaskInWorkflow('guid-noapi', 'img', 'cmd', '/m', '/w', [], []);
+
+      expect(result).toContain('Pipeline 5006 completed successfully');
+      expect(result).toContain('logs unavailable');
+    });
+
+    it('continues polling through status check errors until completion', async () => {
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 5007, status: 'pending' }));
+      // First status check fails
+      mockRun.mockRejectedValueOnce(new Error('network blip'));
+      // Second status check succeeds
+      mockRun.mockResolvedValueOnce(JSON.stringify({ status: 'success' }));
+      // Jobs/logs
+      mockRun.mockResolvedValueOnce(JSON.stringify([]));
+
+      await provider.runTaskInWorkflow('guid-retry', 'img', 'cmd', '/m', '/w', [], []);
+
+      expect(mockLogWarning).toHaveBeenCalledWith(expect.stringContaining('Status check error'));
+    });
+
+    it('throws timeout error when polling exceeds maximum duration', async () => {
+      const realDateNow = Date.now;
+      let callCount = 0;
+
+      // Trigger pipeline succeeds
+      mockRun.mockResolvedValueOnce(JSON.stringify({ id: 5008, status: 'running' }));
+      // Status always returns running
+      mockRun.mockImplementation(() => Promise.resolve(JSON.stringify({ status: 'running' })));
+
+      // After first call, simulate 5 hours elapsed
+      Date.now = () => {
+        callCount++;
+        if (callCount <= 1) return realDateNow.call(Date);
+        return realDateNow.call(Date) + 14_400_001; // 4 hours + 1ms
+      };
+
+      try {
+        await expect(provider.runTaskInWorkflow('guid-poll-timeout', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+          'did not complete within 4 hours',
+        );
+
+        expect(core.error).toHaveBeenCalledWith(expect.stringContaining('did not complete within 4 hours'));
+      } finally {
+        Date.now = realDateNow;
+      }
+    });
+  });
+
+  describe('cleanupWorkflow', () => {
+    it('completes without error and logs cleanup message', async () => {
+      await provider.cleanupWorkflow(createBuildParameters(), 'main', []);
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('Cleanup complete'));
+    });
+  });
+
+  describe('garbageCollect', () => {
+    it('returns empty string (no-op)', async () => {
+      const result = await provider.garbageCollect('', false, 0, false, false);
+      expect(result).toBe('');
+    });
+  });
+
+  describe('listResources', () => {
+    it('returns empty array (not implemented)', async () => {
+      const resources = await provider.listResources();
+      expect(resources).toEqual([]);
+    });
+  });
+
+  describe('listWorkflow', () => {
+    it('returns recent pipeline names when credentials are available', async () => {
+      mockRun.mockResolvedValueOnce(
+        JSON.stringify([
+          { id: 100, status: 'success' },
+          { id: 101, status: 'failed' },
+        ]),
+      );
+
+      const workflows = await provider.listWorkflow();
+
+      expect(workflows).toHaveLength(2);
+      expect(workflows[0].Name).toBe('Pipeline #100 (success)');
+      expect(workflows[1].Name).toBe('Pipeline #101 (failed)');
+    });
+
+    it('returns empty array when credentials are missing', async () => {
+      const params = createBuildParameters({ gitlabProjectId: '' });
+      provider = new GitLabCIProvider(params);
+
+      const workflows = await provider.listWorkflow();
+      expect(workflows).toEqual([]);
+      expect(mockRun).not.toHaveBeenCalled();
+    });
+
+    it('returns empty array when API call fails', async () => {
+      mockRun.mockRejectedValueOnce(new Error('API error'));
+
+      const workflows = await provider.listWorkflow();
+      expect(workflows).toEqual([]);
+    });
+  });
+
+  describe('watchWorkflow', () => {
+    it('returns empty string (not implemented)', async () => {
+      const result = await provider.watchWorkflow();
+      expect(result).toBe('');
+    });
+  });
+});

src/model/orchestrator/providers/gitlab-ci/index.ts

@@ -0,0 +1,224 @@
+import * as core from '@actions/core';
+import BuildParameters from '../../../build-parameters';
+import { OrchestratorSystem } from '../../services/core/orchestrator-system';
+import OrchestratorEnvironmentVariable from '../../options/orchestrator-environment-variable';
+import OrchestratorLogger from '../../services/core/orchestrator-logger';
+import { ProviderInterface } from '../provider-interface';
+import OrchestratorSecret from '../../options/orchestrator-secret';
+import { ProviderResource } from '../provider-resource';
+import { ProviderWorkflow } from '../provider-workflow';
+
+const MAX_POLLING_DURATION_MS = 14_400_000; // 4 hours
+
+/**
+ * GitLab CI provider — triggers builds as GitLab CI pipelines
+ * via the GitLab API.
+ *
+ * Use case: Teams using GitLab CI, hybrid GitHub/GitLab setups,
+ * or GitLab runners with Unity licenses.
+ */
+class GitLabCIProvider implements ProviderInterface {
+  private buildParameters: BuildParameters;
+  private projectId: string;
+  private triggerToken: string;
+  private apiUrl: string;
+  private ref: string;
+  private pipelineId: number = 0;
+
+  constructor(buildParameters: BuildParameters) {
+    this.buildParameters = buildParameters;
+    this.projectId = buildParameters.gitlabProjectId || '';
+    this.triggerToken = buildParameters.gitlabTriggerToken || '';
+    this.apiUrl = (buildParameters.gitlabApiUrl || 'https://gitlab.com').replace(/\/+$/, '');
+    this.ref = buildParameters.gitlabRef || 'main';
+  }
+
+  async setupWorkflow(
+    // eslint-disable-next-line no-unused-vars
+    buildGuid: string,
+    // eslint-disable-next-line no-unused-vars
+    buildParameters: BuildParameters,
+    // eslint-disable-next-line no-unused-vars
+    branchName: string,
+    // eslint-disable-next-line no-unused-vars
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ): Promise<void> {
+    OrchestratorLogger.log(`[GitLabCI] Setting up pipeline trigger for project ${this.projectId}`);
+
+    if (!this.projectId || !this.triggerToken) {
+      throw new Error('gitlabProjectId and gitlabTriggerToken are required for the gitlab-ci provider');
+    }
+
+    // Verify project access
+    const encodedProject = encodeURIComponent(this.projectId);
+    try {
+      await OrchestratorSystem.Run(
+        `curl -sf -H "PRIVATE-TOKEN: ${this.triggerToken}" "${this.apiUrl}/api/v4/projects/${encodedProject}" -o /dev/null`,
+      );
+      OrchestratorLogger.log(`[GitLabCI] Project access verified`);
+    } catch (error: any) {
+      throw new Error(`Failed to access GitLab project ${this.projectId}: ${error.message || error}`);
+    }
+  }
+
+  async runTaskInWorkflow(
+    buildGuid: string,
+    image: string,
+    commands: string,
+    mountdir: string,
+    workingdir: string,
+    environment: OrchestratorEnvironmentVariable[],
+    // eslint-disable-next-line no-unused-vars
+    secrets: OrchestratorSecret[],
+  ): Promise<string> {
+    OrchestratorLogger.log(`[GitLabCI] Triggering pipeline on project ${this.projectId}@${this.ref}`);
+
+    const encodedProject = encodeURIComponent(this.projectId);
+
+    // Build variables for the pipeline
+    const pipelineVariables: string[] = [
+      `-f "variables[BUILD_GUID]=${buildGuid}"`,
+      `-f "variables[BUILD_IMAGE]=${image}"`,
+      `-f "variables[BUILD_COMMANDS]=${Buffer.from(commands).toString('base64')}"`,
+      `-f "variables[MOUNT_DIR]=${mountdir}"`,
+      `-f "variables[WORKING_DIR]=${workingdir}"`,
+    ];
+
+    for (const element of environment) {
+      pipelineVariables.push(`-f "variables[${element.name}]=${element.value}"`);
+    }
+
+    // Trigger pipeline
+    try {
+      const response = await OrchestratorSystem.Run(
+        `curl -sf -X POST "${this.apiUrl}/api/v4/projects/${encodedProject}/trigger/pipeline" -f "token=${
+          this.triggerToken
+        }" -f "ref=${this.ref}" ${pipelineVariables.join(' ')}`,
+      );
+
+      const pipeline = JSON.parse(response);
+      this.pipelineId = pipeline.id;
+      OrchestratorLogger.log(`[GitLabCI] Pipeline triggered: ${this.pipelineId} (status: ${pipeline.status})`);
+    } catch (error: any) {
+      throw new Error(`Failed to trigger pipeline: ${error.message || error}`);
+    }
+
+    // Poll until completion (with maximum duration guard)
+    let status = 'pending';
+    const terminalStatuses = new Set(['success', 'failed', 'canceled', 'skipped']);
+    const pollingStartTime = Date.now();
+    const pipelineUrl = `${this.apiUrl}/${this.projectId}/-/pipelines/${this.pipelineId}`;
+
+    while (!terminalStatuses.has(status)) {
+      const elapsedMs = Date.now() - pollingStartTime;
+      if (elapsedMs >= MAX_POLLING_DURATION_MS) {
+        const hours = Math.round(MAX_POLLING_DURATION_MS / 3_600_000);
+        const message = `GitLab CI pipeline did not complete within ${hours} hours. Pipeline URL: ${pipelineUrl}`;
+        core.error(message);
+        throw new Error(message);
+      }
+
+      await new Promise((resolve) => setTimeout(resolve, 15_000));
+
+      try {
+        const statusResponse = await OrchestratorSystem.Run(
+          `curl -sf -H "PRIVATE-TOKEN: ${this.triggerToken}" "${this.apiUrl}/api/v4/projects/${encodedProject}/pipelines/${this.pipelineId}"`,
+          true,
+        );
+
+        const pipelineStatus = JSON.parse(statusResponse);
+        status = pipelineStatus.status;
+        OrchestratorLogger.log(`[GitLabCI] Pipeline ${this.pipelineId} status: ${status}`);
+      } catch (error: any) {
+        OrchestratorLogger.logWarning(`[GitLabCI] Status check error: ${error.message || error}`);
+      }
+    }
+
+    if (status !== 'success') {
+      throw new Error(`Pipeline ${this.pipelineId} finished with status: ${status}`);
+    }
+
+    // Fetch job logs
+    try {
+      const jobsResponse = await OrchestratorSystem.Run(
+        `curl -sf -H "PRIVATE-TOKEN: ${this.triggerToken}" "${this.apiUrl}/api/v4/projects/${encodedProject}/pipelines/${this.pipelineId}/jobs"`,
+        true,
+      );
+
+      const jobs = JSON.parse(jobsResponse);
+      const logs: string[] = [];
+
+      for (const job of jobs) {
+        try {
+          const jobLog = await OrchestratorSystem.Run(
+            `curl -sf -H "PRIVATE-TOKEN: ${this.triggerToken}" "${this.apiUrl}/api/v4/projects/${encodedProject}/jobs/${job.id}/trace"`,
+            true,
+          );
+          logs.push(`=== Job: ${job.name} (${job.status}) ===\n${jobLog}`);
+        } catch {
+          logs.push(`=== Job: ${job.name} (${job.status}) === (logs unavailable)`);
+        }
+      }
+
+      return logs.join('\n\n');
+    } catch {
+      return `Pipeline ${this.pipelineId} completed successfully (logs unavailable)`;
+    }
+  }
+
+  async cleanupWorkflow(
+    // eslint-disable-next-line no-unused-vars
+    buildParameters: BuildParameters,
+    // eslint-disable-next-line no-unused-vars
+    branchName: string,
+    // eslint-disable-next-line no-unused-vars
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ): Promise<void> {
+    OrchestratorLogger.log(`[GitLabCI] Cleanup complete`);
+  }
+
+  async garbageCollect(
+    // eslint-disable-next-line no-unused-vars
+    filter: string,
+    // eslint-disable-next-line no-unused-vars
+    previewOnly: boolean,
+    // eslint-disable-next-line no-unused-vars
+    olderThan: Number,
+    // eslint-disable-next-line no-unused-vars
+    fullCache: boolean,
+    // eslint-disable-next-line no-unused-vars
+    baseDependencies: boolean,
+  ): Promise<string> {
+    return '';
+  }
+
+  async listResources(): Promise<ProviderResource[]> {
+    return [];
+  }
+
+  async listWorkflow(): Promise<ProviderWorkflow[]> {
+    if (!this.projectId || !this.triggerToken) return [];
+
+    try {
+      const encodedProject = encodeURIComponent(this.projectId);
+      const response = await OrchestratorSystem.Run(
+        `curl -sf -H "PRIVATE-TOKEN: ${this.triggerToken}" "${this.apiUrl}/api/v4/projects/${encodedProject}/pipelines?per_page=10"`,
+        true,
+      );
+
+      return JSON.parse(response).map((pipeline: any) => {
+        const workflow = new ProviderWorkflow();
+        workflow.Name = `Pipeline #${pipeline.id} (${pipeline.status})`;
+
+        return workflow;
+      });
+    } catch {
+      return [];
+    }
+  }
+
+  async watchWorkflow(): Promise<string> {
+    return '';
+  }
+}
+export default GitLabCIProvider;

src/model/orchestrator/providers/provider-selection.test.ts

@@ -0,0 +1,164 @@
+import BuildParameters from '../../build-parameters';
+import RemotePowershellProvider from './remote-powershell';
+import GitHubActionsProvider from './github-actions';
+import GitLabCIProvider from './gitlab-ci';
+import AnsibleProvider from './ansible';
+
+/**
+ * Tests for provider selection logic in Orchestrator.setProvider.
+ *
+ * These tests verify that the correct provider class is instantiated based on
+ * the providerStrategy field in BuildParameters. Rather than invoking the full
+ * Orchestrator.setProvider (which has heavy dependencies on OrchestratorOptions,
+ * AWS detection, etc.), we test the provider constructors directly to verify
+ * they produce the right provider type from the same build parameters the
+ * orchestrator switch statement uses.
+ */
+describe('Provider Selection', () => {
+  describe('remote-powershell provider', () => {
+    it('creates RemotePowershellProvider from build parameters', () => {
+      const params = {
+        providerStrategy: 'remote-powershell',
+        remotePowershellHost: 'build-server.local',
+        remotePowershellTransport: 'wsman',
+        remotePowershellCredential: 'user:pass',
+      } as BuildParameters;
+
+      const provider = new RemotePowershellProvider(params);
+
+      expect(provider).toBeInstanceOf(RemotePowershellProvider);
+      expect(provider.constructor.name).toBe('RemotePowershellProvider');
+    });
+  });
+
+  describe('github-actions provider', () => {
+    it('creates GitHubActionsProvider from build parameters', () => {
+      const params = {
+        providerStrategy: 'github-actions',
+        githubActionsRepo: 'org/repo',
+        githubActionsWorkflow: 'ci.yml',
+        githubActionsToken: 'ghp_token',
+        githubActionsRef: 'main',
+      } as BuildParameters;
+
+      const provider = new GitHubActionsProvider(params);
+
+      expect(provider).toBeInstanceOf(GitHubActionsProvider);
+      expect(provider.constructor.name).toBe('GitHubActionsProvider');
+    });
+  });
+
+  describe('gitlab-ci provider', () => {
+    it('creates GitLabCIProvider from build parameters', () => {
+      const params = {
+        providerStrategy: 'gitlab-ci',
+        gitlabProjectId: 'group/project',
+        gitlabTriggerToken: 'glptt-token',
+        gitlabApiUrl: 'https://gitlab.com',
+        gitlabRef: 'main',
+      } as BuildParameters;
+
+      const provider = new GitLabCIProvider(params);
+
+      expect(provider).toBeInstanceOf(GitLabCIProvider);
+      expect(provider.constructor.name).toBe('GitLabCIProvider');
+    });
+  });
+
+  describe('ansible provider', () => {
+    it('creates AnsibleProvider from build parameters', () => {
+      const params = {
+        providerStrategy: 'ansible',
+        ansibleInventory: '/etc/ansible/hosts',
+        ansiblePlaybook: '/playbooks/build.yml',
+        ansibleExtraVars: '',
+        ansibleVaultPassword: '',
+      } as BuildParameters;
+
+      const provider = new AnsibleProvider(params);
+
+      expect(provider).toBeInstanceOf(AnsibleProvider);
+      expect(provider.constructor.name).toBe('AnsibleProvider');
+    });
+  });
+
+  describe('provider strategy routing', () => {
+    it('each provider strategy maps to a distinct provider class', () => {
+      const strategies: Record<string, new (params: BuildParameters) => any> = {
+        'remote-powershell': RemotePowershellProvider,
+        'github-actions': GitHubActionsProvider,
+        'gitlab-ci': GitLabCIProvider,
+        ansible: AnsibleProvider,
+      };
+
+      const params = {
+        remotePowershellHost: 'host',
+        remotePowershellTransport: 'wsman',
+        remotePowershellCredential: '',
+        githubActionsRepo: 'org/repo',
+        githubActionsWorkflow: 'ci.yml',
+        githubActionsToken: 'token',
+        githubActionsRef: 'main',
+        gitlabProjectId: 'proj',
+        gitlabTriggerToken: 'tok',
+        gitlabApiUrl: 'https://gitlab.com',
+        gitlabRef: 'main',
+        ansibleInventory: '/inv',
+        ansiblePlaybook: '/pb.yml',
+        ansibleExtraVars: '',
+        ansibleVaultPassword: '',
+      } as BuildParameters;
+
+      const instances = Object.entries(strategies).map(([strategy, ProviderClass]) => {
+        const provider = new ProviderClass(params);
+        return { strategy, className: provider.constructor.name };
+      });
+
+      // Verify all four strategies produce different provider classes
+      const classNames = instances.map((i) => i.className);
+      const uniqueClassNames = new Set(classNames);
+      expect(uniqueClassNames.size).toBe(4);
+
+      // Verify expected mapping
+      expect(instances.find((i) => i.strategy === 'remote-powershell')!.className).toBe('RemotePowershellProvider');
+      expect(instances.find((i) => i.strategy === 'github-actions')!.className).toBe('GitHubActionsProvider');
+      expect(instances.find((i) => i.strategy === 'gitlab-ci')!.className).toBe('GitLabCIProvider');
+      expect(instances.find((i) => i.strategy === 'ansible')!.className).toBe('AnsibleProvider');
+    });
+
+    it('all providers implement ProviderInterface methods', () => {
+      const params = {
+        remotePowershellHost: 'host',
+        githubActionsRepo: 'org/repo',
+        githubActionsWorkflow: 'ci.yml',
+        githubActionsToken: 'token',
+        gitlabProjectId: 'proj',
+        gitlabTriggerToken: 'tok',
+        ansibleInventory: '/inv',
+      } as BuildParameters;
+
+      const providers = [
+        new RemotePowershellProvider(params),
+        new GitHubActionsProvider(params),
+        new GitLabCIProvider(params),
+        new AnsibleProvider(params),
+      ];
+
+      const requiredMethods = [
+        'setupWorkflow',
+        'runTaskInWorkflow',
+        'cleanupWorkflow',
+        'garbageCollect',
+        'listResources',
+        'listWorkflow',
+        'watchWorkflow',
+      ];
+
+      for (const provider of providers) {
+        for (const method of requiredMethods) {
+          expect(typeof (provider as any)[method]).toBe('function');
+        }
+      }
+    });
+  });
+});

src/model/orchestrator/providers/remote-powershell/index.ts

@@ -0,0 +1,166 @@
+import BuildParameters from '../../../build-parameters';
+import { OrchestratorSystem } from '../../services/core/orchestrator-system';
+import OrchestratorEnvironmentVariable from '../../options/orchestrator-environment-variable';
+import OrchestratorLogger from '../../services/core/orchestrator-logger';
+import { ProviderInterface } from '../provider-interface';
+import OrchestratorSecret from '../../options/orchestrator-secret';
+import { ProviderResource } from '../provider-resource';
+import { ProviderWorkflow } from '../provider-workflow';
+
+/**
+ * Remote PowerShell provider — executes Unity builds on remote machines
+ * via PowerShell Remoting (WinRM or SSH).
+ *
+ * Use case: Teams with dedicated build machines not part of a CI system.
+ */
+class RemotePowershellProvider implements ProviderInterface {
+  private buildParameters: BuildParameters;
+  private host: string;
+  private transport: string;
+  private credential: string;
+  private sessionId: string = '';
+
+  constructor(buildParameters: BuildParameters) {
+    this.buildParameters = buildParameters;
+    this.host = buildParameters.remotePowershellHost || '';
+    this.transport = buildParameters.remotePowershellTransport || 'wsman';
+    this.credential = buildParameters.remotePowershellCredential || '';
+  }
+
+  async setupWorkflow(
+    buildGuid: string,
+    // eslint-disable-next-line no-unused-vars
+    buildParameters: BuildParameters,
+    // eslint-disable-next-line no-unused-vars
+    branchName: string,
+    // eslint-disable-next-line no-unused-vars
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ): Promise<void> {
+    OrchestratorLogger.log(`[RemotePowershell] Setting up remote session to ${this.host} via ${this.transport}`);
+
+    if (!this.host) {
+      throw new Error('remotePowershellHost is required for the remote-powershell provider');
+    }
+
+    // Test connectivity
+    const testCommand = this.buildPwshCommand(`Test-WSMan -ComputerName "${this.host}" -ErrorAction Stop`);
+    try {
+      await OrchestratorSystem.Run(testCommand);
+      OrchestratorLogger.log(`[RemotePowershell] Connection test passed`);
+    } catch (error: any) {
+      throw new Error(`Failed to connect to remote host ${this.host}: ${error.message || error}`);
+    }
+
+    this.sessionId = buildGuid;
+    OrchestratorLogger.log(`[RemotePowershell] Session ${this.sessionId} ready`);
+  }
+
+  async runTaskInWorkflow(
+    buildGuid: string,
+    image: string,
+    commands: string,
+    mountdir: string,
+    workingdir: string,
+    environment: OrchestratorEnvironmentVariable[],
+    secrets: OrchestratorSecret[],
+  ): Promise<string> {
+    OrchestratorLogger.log(`[RemotePowershell] Executing task on ${this.host}`);
+
+    // Build environment variable block for remote session
+    const environmentBlock = environment.map((element) => `$env:${element.name} = '${element.value}'`).join('; ');
+
+    const secretBlock = secrets
+      .map((secret) => `$env:${secret.EnvironmentVariable} = '${secret.ParameterValue}'`)
+      .join('; ');
+
+    // Wrap commands for remote execution
+    const remoteScript = [environmentBlock, secretBlock, `Set-Location "${workingdir}"`, commands]
+      .filter(Boolean)
+      .join('; ');
+
+    const invokeCommand = this.buildInvokeCommand(remoteScript);
+
+    try {
+      const output = await OrchestratorSystem.Run(invokeCommand);
+      OrchestratorLogger.log(`[RemotePowershell] Task completed successfully`);
+
+      return output;
+    } catch (error: any) {
+      OrchestratorLogger.logWarning(`[RemotePowershell] Task failed: ${error.message || error}`);
+      throw error;
+    }
+  }
+
+  async cleanupWorkflow(
+    // eslint-disable-next-line no-unused-vars
+    buildParameters: BuildParameters,
+    // eslint-disable-next-line no-unused-vars
+    branchName: string,
+    // eslint-disable-next-line no-unused-vars
+    defaultSecretsArray: { ParameterKey: string; EnvironmentVariable: string; ParameterValue: string }[],
+  ): Promise<void> {
+    OrchestratorLogger.log(`[RemotePowershell] Cleaning up session ${this.sessionId}`);
+
+    // Remote sessions are stateless per invocation — no cleanup needed
+  }
+
+  async garbageCollect(
+    // eslint-disable-next-line no-unused-vars
+    filter: string,
+    // eslint-disable-next-line no-unused-vars
+    previewOnly: boolean,
+    // eslint-disable-next-line no-unused-vars
+    olderThan: Number,
+    // eslint-disable-next-line no-unused-vars
+    fullCache: boolean,
+    // eslint-disable-next-line no-unused-vars
+    baseDependencies: boolean,
+  ): Promise<string> {
+    OrchestratorLogger.log(`[RemotePowershell] Garbage collection not supported for remote PowerShell provider`);
+
+    return '';
+  }
+
+  async listResources(): Promise<ProviderResource[]> {
+    const resource = new ProviderResource();
+    resource.Name = this.host;
+
+    return [resource];
+  }
+
+  async listWorkflow(): Promise<ProviderWorkflow[]> {
+    return [];
+  }
+
+  async watchWorkflow(): Promise<string> {
+    return '';
+  }
+
+  private buildPwshCommand(script: string): string {
+    return `pwsh -NoProfile -NonInteractive -Command "${script.replace(/"/g, '\\"')}"`;
+  }
+
+  private buildInvokeCommand(remoteScript: string): string {
+    const escapedScript = remoteScript.replace(/"/g, '\\"').replace(/'/g, "''");
+
+    if (this.transport === 'ssh') {
+      return `pwsh -NoProfile -NonInteractive -Command "Invoke-Command -HostName '${this.host}' -ScriptBlock { ${escapedScript} }"`;
+    }
+
+    // WinRM (default)
+    // Split on the FIRST colon only — passwords may contain colons
+    let credentialPart = '';
+    if (this.credential) {
+      const colonIndex = this.credential.indexOf(':');
+      if (colonIndex === -1) {
+        throw new Error('remotePowershellCredential must be in "username:password" format (no colon found)');
+      }
+      const user = this.credential.substring(0, colonIndex);
+      const pass = this.credential.substring(colonIndex + 1);
+      credentialPart = `-Credential (New-Object PSCredential('${user}', (ConvertTo-SecureString '${pass}' -AsPlainText -Force)))`;
+    }
+
+    return `pwsh -NoProfile -NonInteractive -Command "Invoke-Command -ComputerName '${this.host}' ${credentialPart} -ScriptBlock { ${escapedScript} }"`;
+  }
+}
+export default RemotePowershellProvider;

src/model/orchestrator/providers/remote-powershell/remote-powershell-provider.test.ts

@@ -0,0 +1,264 @@
+import RemotePowershellProvider from '.';
+import BuildParameters from '../../../build-parameters';
+import { OrchestratorSystem } from '../../services/core/orchestrator-system';
+import OrchestratorLogger from '../../services/core/orchestrator-logger';
+
+jest.mock('../../services/core/orchestrator-system');
+jest.mock('../../services/core/orchestrator-logger');
+
+const mockRun = OrchestratorSystem.Run as jest.MockedFunction<typeof OrchestratorSystem.Run>;
+const mockLog = OrchestratorLogger.log as jest.MockedFunction<typeof OrchestratorLogger.log>;
+const mockLogWarning = OrchestratorLogger.logWarning as jest.MockedFunction<typeof OrchestratorLogger.logWarning>;
+
+function createBuildParameters(overrides: Partial<BuildParameters> = {}): BuildParameters {
+  return {
+    remotePowershellHost: 'build-server-01.internal',
+    remotePowershellTransport: 'wsman',
+    remotePowershellCredential: 'admin:P@ssw0rd!',
+    ...overrides,
+  } as BuildParameters;
+}
+
+describe('RemotePowershellProvider', () => {
+  let provider: RemotePowershellProvider;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    provider = new RemotePowershellProvider(createBuildParameters());
+  });
+
+  describe('constructor', () => {
+    it('defaults transport to wsman when not specified', () => {
+      const params = createBuildParameters({ remotePowershellTransport: undefined });
+      const p = new RemotePowershellProvider(params);
+      expect(p).toBeDefined();
+    });
+
+    it('accepts ssh transport', () => {
+      const params = createBuildParameters({ remotePowershellTransport: 'ssh' });
+      const p = new RemotePowershellProvider(params);
+      expect(p).toBeDefined();
+    });
+  });
+
+  describe('setupWorkflow', () => {
+    it('tests WinRM connectivity via Test-WSMan and logs success', async () => {
+      mockRun.mockResolvedValueOnce('wsman output');
+
+      await provider.setupWorkflow('guid-123', createBuildParameters(), 'main', []);
+
+      expect(mockRun).toHaveBeenCalledTimes(1);
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain('pwsh -NoProfile -NonInteractive');
+      expect(command).toContain('Test-WSMan');
+      expect(command).toContain('build-server-01.internal');
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('Connection test passed'));
+    });
+
+    it('sets session ID to the build GUID', async () => {
+      mockRun.mockResolvedValueOnce('');
+
+      await provider.setupWorkflow('my-build-guid', createBuildParameters(), 'main', []);
+
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('my-build-guid'));
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('ready'));
+    });
+
+    it('throws when host is not configured', async () => {
+      const params = createBuildParameters({ remotePowershellHost: '' });
+      provider = new RemotePowershellProvider(params);
+
+      await expect(provider.setupWorkflow('guid-123', params, 'main', [])).rejects.toThrow(
+        'remotePowershellHost is required',
+      );
+    });
+
+    it('throws descriptive error when connectivity test fails', async () => {
+      mockRun.mockRejectedValueOnce(new Error('WinRM service not running'));
+
+      await expect(provider.setupWorkflow('guid-123', createBuildParameters(), 'main', [])).rejects.toThrow(
+        'Failed to connect to remote host build-server-01.internal',
+      );
+    });
+  });
+
+  describe('runTaskInWorkflow', () => {
+    it('constructs WinRM Invoke-Command with credential and returns output', async () => {
+      mockRun.mockResolvedValueOnce('Build succeeded!');
+
+      const result = await provider.runTaskInWorkflow(
+        'guid-run1',
+        'unused-image',
+        'Unity.exe -batchmode -buildTarget Win64',
+        '/mount',
+        'C:\\Projects\\MyGame',
+        [],
+        [],
+      );
+
+      expect(result).toBe('Build succeeded!');
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain('pwsh -NoProfile -NonInteractive');
+      expect(command).toContain("Invoke-Command -ComputerName 'build-server-01.internal'");
+      expect(command).toContain('-Credential');
+      expect(command).toContain('New-Object PSCredential');
+      expect(command).toContain('-ScriptBlock');
+      expect(command).toContain('Set-Location');
+    });
+
+    it('constructs SSH Invoke-Command when transport is ssh', async () => {
+      const params = createBuildParameters({ remotePowershellTransport: 'ssh' });
+      provider = new RemotePowershellProvider(params);
+      mockRun.mockResolvedValueOnce('SSH build output');
+
+      const result = await provider.runTaskInWorkflow('guid-ssh', 'img', 'build', '/m', '/w', [], []);
+
+      expect(result).toBe('SSH build output');
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain("Invoke-Command -HostName 'build-server-01.internal'");
+      expect(command).not.toContain('-ComputerName');
+      expect(command).not.toContain('-Credential');
+    });
+
+    it('includes environment variables in the remote script block', async () => {
+      mockRun.mockResolvedValueOnce('output');
+
+      const env = [
+        { name: 'UNITY_LICENSE', value: 'license-data-abc' },
+        { name: 'BUILD_TARGET', value: 'StandaloneWindows64' },
+      ];
+
+      await provider.runTaskInWorkflow('guid-env', 'img', 'build-cmd', '/m', '/w', env as any, []);
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain('$env:UNITY_LICENSE');
+      expect(command).toContain('$env:BUILD_TARGET');
+    });
+
+    it('includes secrets in the remote script block', async () => {
+      mockRun.mockResolvedValueOnce('output');
+
+      const secrets = [{ ParameterKey: 'key1', EnvironmentVariable: 'SECRET_KEY', ParameterValue: 'secret-val-123' }];
+
+      await provider.runTaskInWorkflow('guid-sec', 'img', 'build-cmd', '/m', '/w', [], secrets as any);
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain('$env:SECRET_KEY');
+    });
+
+    it('does not include credential in plaintext log output when using WinRM', async () => {
+      mockRun.mockResolvedValueOnce('output');
+
+      await provider.runTaskInWorkflow('guid-cred', 'img', 'cmd', '/m', '/w', [], []);
+
+      // The credential is used via ConvertTo-SecureString, not logged directly
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain('ConvertTo-SecureString');
+      expect(command).toContain('-AsPlainText -Force');
+    });
+
+    it('omits credential part when no credential is configured (WinRM)', async () => {
+      const params = createBuildParameters({ remotePowershellCredential: '' });
+      provider = new RemotePowershellProvider(params);
+      mockRun.mockResolvedValueOnce('output');
+
+      await provider.runTaskInWorkflow('guid-nocred', 'img', 'cmd', '/m', '/w', [], []);
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain("Invoke-Command -ComputerName 'build-server-01.internal'");
+      expect(command).not.toContain('-Credential');
+      expect(command).not.toContain('PSCredential');
+    });
+
+    it('throws and logs warning when remote execution fails', async () => {
+      const execError = new Error('Remote execution failed: access denied');
+      mockRun.mockRejectedValueOnce(execError);
+
+      await expect(provider.runTaskInWorkflow('guid-fail', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+        'Remote execution failed',
+      );
+
+      expect(mockLogWarning).toHaveBeenCalledWith(expect.stringContaining('Task failed'));
+    });
+
+    it('preserves passwords containing colons when splitting credentials', async () => {
+      const params = createBuildParameters({
+        remotePowershellCredential: 'admin:P@ss:w0rd:with:colons!',
+      });
+      provider = new RemotePowershellProvider(params);
+      mockRun.mockResolvedValueOnce('output');
+
+      await provider.runTaskInWorkflow('guid-colon', 'img', 'cmd', '/m', '/w', [], []);
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain("PSCredential('admin'");
+      expect(command).toContain("ConvertTo-SecureString 'P@ss:w0rd:with:colons!'");
+    });
+
+    it('throws when credential has no colon separator', async () => {
+      const params = createBuildParameters({
+        remotePowershellCredential: 'nocolonhere',
+      });
+      provider = new RemotePowershellProvider(params);
+
+      await expect(provider.runTaskInWorkflow('guid-badcred', 'img', 'cmd', '/m', '/w', [], [])).rejects.toThrow(
+        'username:password',
+      );
+    });
+
+    it('sets working directory in the remote script', async () => {
+      mockRun.mockResolvedValueOnce('output');
+
+      await provider.runTaskInWorkflow('guid-wd', 'img', 'cmd', '/m', 'D:\\Builds\\Project', [], []);
+
+      const command = mockRun.mock.calls[0][0];
+      expect(command).toContain('Set-Location');
+      expect(command).toContain('D:\\Builds\\Project');
+    });
+  });
+
+  describe('cleanupWorkflow', () => {
+    it('completes without error and logs session cleanup', async () => {
+      // Setup first to set sessionId
+      mockRun.mockResolvedValueOnce('');
+      await provider.setupWorkflow('guid-cleanup', createBuildParameters(), 'main', []);
+
+      await provider.cleanupWorkflow(createBuildParameters(), 'main', []);
+
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('Cleaning up session'));
+    });
+  });
+
+  describe('garbageCollect', () => {
+    it('returns empty string and logs not-supported message', async () => {
+      const result = await provider.garbageCollect('', false, 0, false, false);
+      expect(result).toBe('');
+      expect(mockLog).toHaveBeenCalledWith(expect.stringContaining('not supported'));
+    });
+  });
+
+  describe('listResources', () => {
+    it('returns the configured host as a resource', async () => {
+      const resources = await provider.listResources();
+
+      expect(resources).toHaveLength(1);
+      expect(resources[0].Name).toBe('build-server-01.internal');
+    });
+  });
+
+  describe('listWorkflow', () => {
+    it('returns empty array (not implemented)', async () => {
+      const workflows = await provider.listWorkflow();
+      expect(workflows).toEqual([]);
+    });
+  });
+
+  describe('watchWorkflow', () => {
+    it('returns empty string (not implemented)', async () => {
+      const result = await provider.watchWorkflow();
+      expect(result).toBe('');
+    });
+  });
+});

src/model/orchestrator/services/reliability/build-reliability-service.test.ts

@@ -1,638 +0,0 @@
-import { execSync, execFileSync } from 'node:child_process';
-import fs from 'node:fs';
-import path from 'node:path';
-import { BuildReliabilityService } from './build-reliability-service';
-
-// Mock dependencies
-jest.mock('node:child_process');
-jest.mock('node:fs');
-jest.mock('@actions/core', () => ({
-  info: jest.fn(),
-  warning: jest.fn(),
-}));
-
-const mockExecSync = execSync as jest.MockedFunction<typeof execSync>;
-const mockExecFileSync = execFileSync as jest.MockedFunction<typeof execFileSync>;
-const mockFs = fs as jest.Mocked<typeof fs>;
-
-describe('BuildReliabilityService', () => {
-  beforeEach(() => {
-    jest.clearAllMocks();
-  });
-
-  // =========================================================================
-  // checkGitIntegrity
-  // =========================================================================
-
-  describe('checkGitIntegrity', () => {
-    it('should return true when fsck succeeds with clean output', () => {
-      mockExecSync.mockReturnValue('');
-      const result = BuildReliabilityService.checkGitIntegrity('/repo');
-      expect(result).toBe(true);
-      expect(mockExecSync).toHaveBeenCalledWith(
-        'git -C "/repo" fsck --no-dangling',
-        expect.objectContaining({ encoding: 'utf8' }),
-      );
-    });
-
-    it('should return false when fsck output contains corruption indicators', () => {
-      mockExecSync.mockReturnValue('broken link from tree abc123');
-      const result = BuildReliabilityService.checkGitIntegrity('/repo');
-      expect(result).toBe(false);
-    });
-
-    it('should return false when fsck output contains missing objects', () => {
-      mockExecSync.mockReturnValue('missing blob abc123');
-      const result = BuildReliabilityService.checkGitIntegrity('/repo');
-      expect(result).toBe(false);
-    });
-
-    it('should return false when execSync throws (non-zero exit code)', () => {
-      mockExecSync.mockImplementation(() => {
-        const error: any = new Error('fsck failed');
-        error.stderr = Buffer.from('error: bad object HEAD');
-        throw error;
-      });
-      const result = BuildReliabilityService.checkGitIntegrity('/repo');
-      expect(result).toBe(false);
-    });
-
-    it('should use current directory when no repoPath provided', () => {
-      mockExecSync.mockReturnValue('');
-      BuildReliabilityService.checkGitIntegrity();
-      expect(mockExecSync).toHaveBeenCalledWith('git -C "." fsck --no-dangling', expect.anything());
-    });
-  });
-
-  // =========================================================================
-  // cleanStaleLockFiles
-  // =========================================================================
-
-  describe('cleanStaleLockFiles', () => {
-    it('should return 0 when .git directory does not exist', () => {
-      mockFs.existsSync.mockReturnValue(false);
-      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
-      expect(result).toBe(0);
-    });
-
-    it('should remove lock files older than 10 minutes', () => {
-      const now = Date.now();
-      const oldTime = now - 15 * 60 * 1000; // 15 minutes ago
-
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.statSync.mockImplementation((filePath: any) => {
-        if (filePath === path.join('/repo', '.git')) {
-          return { isDirectory: () => true } as fs.Stats;
-        }
-        return { mtimeMs: oldTime } as fs.Stats;
-      });
-      mockFs.readdirSync.mockImplementation((dir: any) => {
-        if (dir === path.join('/repo', '.git')) {
-          return [
-            { name: 'index.lock', isDirectory: () => false },
-            { name: 'HEAD.lock', isDirectory: () => false },
-          ] as any;
-        }
-        return [];
-      });
-      mockFs.unlinkSync.mockReturnValue(undefined);
-
-      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
-      expect(result).toBe(2);
-      expect(mockFs.unlinkSync).toHaveBeenCalledTimes(2);
-    });
-
-    it('should NOT remove lock files younger than 10 minutes', () => {
-      const now = Date.now();
-      const recentTime = now - 2 * 60 * 1000; // 2 minutes ago
-
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.statSync.mockImplementation((filePath: any) => {
-        if (filePath === path.join('/repo', '.git')) {
-          return { isDirectory: () => true } as fs.Stats;
-        }
-        return { mtimeMs: recentTime } as fs.Stats;
-      });
-      mockFs.readdirSync.mockImplementation((dir: any) => {
-        if (dir === path.join('/repo', '.git')) {
-          return [{ name: 'index.lock', isDirectory: () => false }] as any;
-        }
-        return [];
-      });
-
-      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
-      expect(result).toBe(0);
-      expect(mockFs.unlinkSync).not.toHaveBeenCalled();
-    });
-
-    it('should recursively scan refs directory for lock files', () => {
-      const now = Date.now();
-      const oldTime = now - 15 * 60 * 1000;
-
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.statSync.mockImplementation((filePath: any) => {
-        if (filePath === path.join('/repo', '.git')) {
-          return { isDirectory: () => true } as fs.Stats;
-        }
-        return { mtimeMs: oldTime } as fs.Stats;
-      });
-      mockFs.readdirSync.mockImplementation((dir: any) => {
-        const gitDir = path.join('/repo', '.git');
-        if (dir === gitDir) {
-          return [{ name: 'refs', isDirectory: () => true }] as any;
-        }
-        if (dir === path.join(gitDir, 'refs')) {
-          return [{ name: 'heads', isDirectory: () => true }] as any;
-        }
-        if (dir === path.join(gitDir, 'refs', 'heads')) {
-          return [{ name: 'main.lock', isDirectory: () => false }] as any;
-        }
-        return [];
-      });
-      mockFs.unlinkSync.mockReturnValue(undefined);
-
-      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
-      expect(result).toBe(1);
-    });
-  });
-
-  // =========================================================================
-  // validateSubmoduleBackingStores
-  // =========================================================================
-
-  describe('validateSubmoduleBackingStores', () => {
-    it('should return empty array when .gitmodules does not exist', () => {
-      mockFs.existsSync.mockReturnValue(false);
-      const result = BuildReliabilityService.validateSubmoduleBackingStores('/repo');
-      expect(result).toEqual([]);
-    });
-
-    it('should detect broken backing store for submodule', () => {
-      mockFs.existsSync.mockImplementation((p: any) => {
-        if (p === path.join('/repo', '.gitmodules')) return true;
-        if (p === path.join('/repo', 'lib/sub', '.git')) return true;
-        // Backing store does not exist
-        return false;
-      });
-      mockFs.readFileSync.mockImplementation((p: any) => {
-        if (p === path.join('/repo', '.gitmodules')) {
-          return '[submodule "sub"]\n\tpath = lib/sub\n\turl = https://example.com/sub.git';
-        }
-        if (p === path.join('/repo', 'lib/sub', '.git')) {
-          return 'gitdir: ../../.git/modules/lib/sub';
-        }
-        return '';
-      });
-      mockFs.statSync.mockReturnValue({ isFile: () => true } as fs.Stats);
-
-      const result = BuildReliabilityService.validateSubmoduleBackingStores('/repo');
-      expect(result).toContain('lib/sub');
-    });
-
-    it('should return empty array when all submodule backing stores are valid', () => {
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.readFileSync.mockImplementation((p: any) => {
-        if (p === path.join('/repo', '.gitmodules')) {
-          return '[submodule "sub"]\n\tpath = lib/sub\n\turl = https://example.com/sub.git';
-        }
-        if (p === path.join('/repo', 'lib/sub', '.git')) {
-          return 'gitdir: ../../.git/modules/lib/sub';
-        }
-        return '';
-      });
-      mockFs.statSync.mockReturnValue({ isFile: () => true } as fs.Stats);
-
-      const result = BuildReliabilityService.validateSubmoduleBackingStores('/repo');
-      expect(result).toEqual([]);
-    });
-  });
-
-  // =========================================================================
-  // recoverCorruptedRepo
-  // =========================================================================
-
-  describe('recoverCorruptedRepo', () => {
-    it('should orchestrate fsck cleanup and re-fetch, returning true on success', () => {
-      // cleanStaleLockFiles: no .git dir
-      mockFs.existsSync.mockReturnValue(false);
-      mockFs.statSync.mockReturnValue({ isDirectory: () => false } as fs.Stats);
-
-      // fetch succeeds, then fsck succeeds
-      mockExecSync.mockReturnValue('');
-
-      const result = BuildReliabilityService.recoverCorruptedRepo('/repo');
-      expect(result).toBe(true);
-      // Should have called fetch
-      expect(mockExecSync).toHaveBeenCalledWith('git -C "/repo" fetch --all', expect.anything());
-    });
-
-    it('should return false when recovery fails to restore integrity', () => {
-      mockFs.existsSync.mockReturnValue(false);
-      mockFs.statSync.mockReturnValue({ isDirectory: () => false } as fs.Stats);
-
-      // fetch succeeds, but fsck fails
-      mockExecSync.mockImplementation((cmd: any) => {
-        if (typeof cmd === 'string' && cmd.includes('fetch')) return '';
-        if (typeof cmd === 'string' && cmd.includes('fsck')) {
-          return 'missing blob abc123';
-        }
-        return '';
-      });
-
-      const result = BuildReliabilityService.recoverCorruptedRepo('/repo');
-      expect(result).toBe(false);
-    });
-
-    it('should continue recovery even when fetch fails', () => {
-      mockFs.existsSync.mockReturnValue(false);
-      mockFs.statSync.mockReturnValue({ isDirectory: () => false } as fs.Stats);
-
-      let callCount = 0;
-      mockExecSync.mockImplementation((cmd: any) => {
-        callCount++;
-        if (typeof cmd === 'string' && cmd.includes('fetch')) {
-          throw new Error('network error');
-        }
-        // fsck call
-        return '';
-      });
-
-      const result = BuildReliabilityService.recoverCorruptedRepo('/repo');
-      // Should still attempt fsck after failed fetch
-      expect(callCount).toBeGreaterThanOrEqual(2);
-    });
-  });
-
-  // =========================================================================
-  // cleanReservedFilenames
-  // =========================================================================
-
-  describe('cleanReservedFilenames', () => {
-    it('should return empty array when Assets directory does not exist', () => {
-      mockFs.existsSync.mockReturnValue(false);
-      const result = BuildReliabilityService.cleanReservedFilenames('/project');
-      expect(result).toEqual([]);
-    });
-
-    it('should remove files with reserved names (con, prn, aux, nul)', () => {
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.readdirSync.mockImplementation((dir: any) => {
-        if (dir === path.join('/project', 'Assets')) {
-          return [
-            { name: 'con.txt', isDirectory: () => false },
-            { name: 'PRN.meta', isDirectory: () => false },
-            { name: 'aux.shader', isDirectory: () => false },
-            { name: 'nul.png', isDirectory: () => false },
-            { name: 'valid-file.cs', isDirectory: () => false },
-          ] as any;
-        }
-        return [];
-      });
-      mockFs.unlinkSync.mockReturnValue(undefined);
-
-      const result = BuildReliabilityService.cleanReservedFilenames('/project');
-      expect(result).toHaveLength(4);
-      expect(mockFs.unlinkSync).toHaveBeenCalledTimes(4);
-    });
-
-    it('should remove directories with reserved names', () => {
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.readdirSync.mockImplementation((dir: any) => {
-        if (dir === path.join('/project', 'Assets')) {
-          return [{ name: 'com1', isDirectory: () => true }] as any;
-        }
-        return [];
-      });
-      mockFs.rmSync.mockReturnValue(undefined);
-
-      const result = BuildReliabilityService.cleanReservedFilenames('/project');
-      expect(result).toHaveLength(1);
-      expect(mockFs.rmSync).toHaveBeenCalledWith(path.join('/project', 'Assets', 'com1'), {
-        recursive: true,
-        force: true,
-      });
-    });
-
-    it('should detect COM1 through COM9 and LPT1 through LPT9', () => {
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.readdirSync.mockImplementation((dir: any) => {
-        if (dir === path.join('/project', 'Assets')) {
-          return [
-            { name: 'com1.txt', isDirectory: () => false },
-            { name: 'COM9.meta', isDirectory: () => false },
-            { name: 'lpt1.dat', isDirectory: () => false },
-            { name: 'LPT9.log', isDirectory: () => false },
-          ] as any;
-        }
-        return [];
-      });
-      mockFs.unlinkSync.mockReturnValue(undefined);
-
-      const result = BuildReliabilityService.cleanReservedFilenames('/project');
-      expect(result).toHaveLength(4);
-    });
-
-    it('should not remove files that merely contain reserved names as substrings', () => {
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.readdirSync.mockImplementation((dir: any) => {
-        if (dir === path.join('/project', 'Assets')) {
-          return [
-            { name: 'controller.cs', isDirectory: () => false },
-            { name: 'printer-utils.cs', isDirectory: () => false },
-            { name: 'auxiliary.shader', isDirectory: () => false },
-          ] as any;
-        }
-        return [];
-      });
-
-      const result = BuildReliabilityService.cleanReservedFilenames('/project');
-      expect(result).toHaveLength(0);
-    });
-  });
-
-  // =========================================================================
-  // getAvailableSpaceMB
-  // =========================================================================
-
-  describe('getAvailableSpaceMB', () => {
-    it('should return -1 when the check fails', () => {
-      mockExecFileSync.mockImplementation(() => {
-        throw new Error('Command failed');
-      });
-
-      const result = BuildReliabilityService.getAvailableSpaceMB('/some/path');
-      expect(result).toBe(-1);
-    });
-
-    it('should parse wmic output on Windows', () => {
-      const originalPlatform = process.platform;
-      Object.defineProperty(process, 'platform', { value: 'win32' });
-
-      // 10 GB in bytes
-      mockExecFileSync.mockReturnValue('\r\nFreeSpace=10737418240\r\n' as any);
-
-      const result = BuildReliabilityService.getAvailableSpaceMB('C:\\builds');
-      // 10737418240 / (1024 * 1024) = 10240 MB
-      expect(result).toBeCloseTo(10240, 0);
-
-      Object.defineProperty(process, 'platform', { value: originalPlatform });
-    });
-
-    it('should parse df output on Unix', () => {
-      const originalPlatform = process.platform;
-      Object.defineProperty(process, 'platform', { value: 'linux' });
-
-      mockExecFileSync.mockReturnValue('  Avail\n  5120M\n' as any);
-
-      const result = BuildReliabilityService.getAvailableSpaceMB('/builds');
-      expect(result).toBe(5120);
-
-      Object.defineProperty(process, 'platform', { value: originalPlatform });
-    });
-  });
-
-  // =========================================================================
-  // getDirectorySizeMB
-  // =========================================================================
-
-  describe('getDirectorySizeMB', () => {
-    it('should return file size for a single file', () => {
-      // 5 MB in bytes
-      mockFs.statSync.mockReturnValue({ isDirectory: () => false, size: 5 * 1024 * 1024 } as any);
-
-      const result = BuildReliabilityService.getDirectorySizeMB('/path/to/file.zip');
-      expect(result).toBeCloseTo(5, 0);
-    });
-
-    it('should return total size for a directory tree', () => {
-      const subDir = path.join('/build', 'sub');
-
-      mockFs.statSync.mockImplementation((p: any) => {
-        const pathStr = typeof p === 'string' ? p : p.toString();
-        if (pathStr === '/build' || pathStr === subDir) {
-          return { isDirectory: () => true, size: 0 } as any;
-        }
-
-        return { isDirectory: () => false, size: 1024 * 1024 } as any; // 1 MB each
-      });
-
-      mockFs.readdirSync.mockImplementation((dirPath: any, _options?: any) => {
-        const dirStr = typeof dirPath === 'string' ? dirPath : dirPath.toString();
-        if (dirStr === '/build') {
-          return [
-            { name: 'file1.bin', isDirectory: () => false },
-            { name: 'sub', isDirectory: () => true },
-          ] as any;
-        }
-        if (dirStr === subDir) {
-          return [{ name: 'file2.bin', isDirectory: () => false }] as any;
-        }
-
-        return [] as any;
-      });
-
-      const result = BuildReliabilityService.getDirectorySizeMB('/build');
-      expect(result).toBeCloseTo(2, 0); // 2 files * 1 MB each
-    });
-
-    it('should return -1 when calculation fails', () => {
-      mockFs.statSync.mockImplementation(() => {
-        throw new Error('Access denied');
-      });
-
-      const result = BuildReliabilityService.getDirectorySizeMB('/inaccessible');
-      expect(result).toBe(-1);
-    });
-  });
-
-  // =========================================================================
-  // archiveBuildOutput
-  // =========================================================================
-
-  describe('archiveBuildOutput', () => {
-    it('should skip archiving when source path does not exist', () => {
-      mockFs.existsSync.mockReturnValue(false);
-      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
-      expect(mockExecSync).not.toHaveBeenCalled();
-    });
-
-    it('should create archive directory and tar.gz output', () => {
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.mkdirSync.mockReturnValue(undefined as any);
-      mockExecSync.mockReturnValue('');
-      // Make disk space check return unknown so we proceed
-      mockExecFileSync.mockImplementation(() => {
-        throw new Error('Command not found');
-      });
-      mockFs.statSync.mockImplementation(() => {
-        throw new Error('Not mocked');
-      });
-
-      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
-
-      expect(mockFs.mkdirSync).toHaveBeenCalledWith('/archives', { recursive: true });
-      expect(mockExecSync).toHaveBeenCalledWith(expect.stringContaining('tar -czf'), expect.anything());
-    });
-
-    it('should skip archival when insufficient disk space', () => {
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.mkdirSync.mockReturnValue(undefined as any);
-
-      // Source is 1000 MB
-      mockFs.statSync.mockImplementation((p: any) => {
-        const pathStr = typeof p === 'string' ? p : p.toString();
-        if (pathStr.endsWith('big-file.bin')) {
-          return { isDirectory: () => false, size: 1000 * 1024 * 1024 } as any;
-        }
-        return { isDirectory: () => true, size: 0 } as any;
-      });
-      mockFs.readdirSync.mockImplementation(() => {
-        return [{ name: 'big-file.bin', isDirectory: () => false }] as any;
-      });
-
-      // Only 500 MB available
-      const originalPlatform = process.platform;
-      Object.defineProperty(process, 'platform', { value: 'linux' });
-      mockExecFileSync.mockReturnValue('  Avail\n  500M\n' as any);
-
-      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
-
-      // Should NOT have attempted the tar command
-      expect(mockExecSync).not.toHaveBeenCalledWith(expect.stringContaining('tar'), expect.anything());
-
-      Object.defineProperty(process, 'platform', { value: originalPlatform });
-    });
-
-    it('should clean up partial archive on tar failure', () => {
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.mkdirSync.mockReturnValue(undefined as any);
-      mockFs.unlinkSync.mockReturnValue(undefined);
-
-      // Make disk space check return unknown so we proceed
-      mockExecFileSync.mockImplementation(() => {
-        throw new Error('Command not found');
-      });
-      mockFs.statSync.mockImplementation(() => {
-        throw new Error('Not mocked');
-      });
-
-      // tar command fails
-      mockExecSync.mockImplementation(() => {
-        const error: any = new Error('tar failed');
-        error.stderr = Buffer.from('No space left on device');
-        throw error;
-      });
-
-      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
-
-      // Should have attempted to clean up the partial archive
-      // (existsSync returns true for the partial file)
-      expect(mockFs.unlinkSync).toHaveBeenCalled();
-    });
-
-    it('should proceed with warning when disk space check fails', () => {
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.mkdirSync.mockReturnValue(undefined as any);
-      mockExecSync.mockReturnValue('');
-
-      // Disk space check fails
-      mockExecFileSync.mockImplementation(() => {
-        throw new Error('Command not found');
-      });
-      // Directory size check also fails
-      mockFs.statSync.mockImplementation(() => {
-        throw new Error('Not mocked');
-      });
-
-      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
-
-      // Should still proceed with tar
-      expect(mockExecSync).toHaveBeenCalledWith(expect.stringContaining('tar -czf'), expect.anything());
-    });
-  });
-
-  // =========================================================================
-  // enforceRetention
-  // =========================================================================
-
-  describe('enforceRetention', () => {
-    it('should return 0 when archive path does not exist', () => {
-      mockFs.existsSync.mockReturnValue(false);
-      const result = BuildReliabilityService.enforceRetention('/archive', 30);
-      expect(result).toBe(0);
-    });
-
-    it('should remove archives older than retention period', () => {
-      const now = Date.now();
-      const oldTime = now - 45 * 24 * 60 * 60 * 1000; // 45 days ago
-      const recentTime = now - 5 * 24 * 60 * 60 * 1000; // 5 days ago
-
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.readdirSync.mockReturnValue([
-        { name: 'build-old.tar.gz', isDirectory: () => false },
-        { name: 'build-recent.tar.gz', isDirectory: () => false },
-      ] as any);
-      mockFs.statSync.mockImplementation((p: any) => {
-        if ((p as string).includes('old')) {
-          return { mtimeMs: oldTime } as fs.Stats;
-        }
-        return { mtimeMs: recentTime } as fs.Stats;
-      });
-      mockFs.unlinkSync.mockReturnValue(undefined);
-
-      const result = BuildReliabilityService.enforceRetention('/archive', 30);
-      expect(result).toBe(1);
-      expect(mockFs.unlinkSync).toHaveBeenCalledTimes(1);
-    });
-
-    it('should keep all archives within retention period', () => {
-      const now = Date.now();
-      const recentTime = now - 5 * 24 * 60 * 60 * 1000;
-
-      mockFs.existsSync.mockReturnValue(true);
-      mockFs.readdirSync.mockReturnValue([
-        { name: 'build-1.tar.gz', isDirectory: () => false },
-        { name: 'build-2.tar.gz', isDirectory: () => false },
-      ] as any);
-      mockFs.statSync.mockReturnValue({ mtimeMs: recentTime } as fs.Stats);
-
-      const result = BuildReliabilityService.enforceRetention('/archive', 30);
-      expect(result).toBe(0);
-    });
-  });
-
-  // =========================================================================
-  // configureGitEnvironment
-  // =========================================================================
-
-  describe('configureGitEnvironment', () => {
-    it('should set GIT_TERMINAL_PROMPT=0 in process.env', () => {
-      mockExecSync.mockReturnValue('');
-      BuildReliabilityService.configureGitEnvironment();
-      expect(process.env.GIT_TERMINAL_PROMPT).toBe('0');
-    });
-
-    it('should configure http.postBuffer via git config', () => {
-      mockExecSync.mockReturnValue('');
-      BuildReliabilityService.configureGitEnvironment();
-      expect(mockExecSync).toHaveBeenCalledWith('git config --global http.postBuffer 524288000', expect.anything());
-    });
-
-    it('should configure core.longpaths via git config', () => {
-      mockExecSync.mockReturnValue('');
-      BuildReliabilityService.configureGitEnvironment();
-      expect(mockExecSync).toHaveBeenCalledWith('git config --global core.longpaths true', expect.anything());
-    });
-
-    it('should warn but not throw when git config commands fail', () => {
-      const core = require('@actions/core');
-      mockExecSync.mockImplementation(() => {
-        throw new Error('git config failed');
-      });
-
-      // Should not throw
-      expect(() => BuildReliabilityService.configureGitEnvironment()).not.toThrow();
-      expect(core.warning).toHaveBeenCalled();
-    });
-  });
-});

src/model/orchestrator/services/reliability/build-reliability-service.ts

@@ -1,527 +0,0 @@
-import { execSync, execFileSync } from 'node:child_process';
-import fs from 'node:fs';
-import path from 'node:path';
-import * as core from '@actions/core';
-
-/**
- * Build reliability features for hardening CI pipelines.
- * Provides git integrity checks, stale lock cleanup, submodule validation,
- * reserved filename removal, build archival, and git environment configuration.
- * All features are opt-in and fail gracefully (warnings only).
- */
-export class BuildReliabilityService {
-  // Windows reserved device names that cause Unity asset importer infinite loops
-  private static readonly RESERVED_NAMES = new Set([
-    'con',
-    'prn',
-    'aux',
-    'nul',
-    'com1',
-    'com2',
-    'com3',
-    'com4',
-    'com5',
-    'com6',
-    'com7',
-    'com8',
-    'com9',
-    'lpt1',
-    'lpt2',
-    'lpt3',
-    'lpt4',
-    'lpt5',
-    'lpt6',
-    'lpt7',
-    'lpt8',
-    'lpt9',
-  ]);
-
-  // Lock files to look for in the .git directory
-  private static readonly LOCK_FILE_NAMES = new Set(['index.lock', 'shallow.lock', 'config.lock', 'HEAD.lock']);
-
-  // Maximum age in milliseconds before a lock file is considered stale (10 minutes)
-  private static readonly LOCK_FILE_MAX_AGE_MS = 10 * 60 * 1000;
-
-  /**
-   * Run git fsck to check repository integrity.
-   * Returns true if the repo is healthy, false if corruption detected.
-   */
-  static checkGitIntegrity(repoPath: string = '.'): boolean {
-    core.info(`[Reliability] Checking git integrity in ${repoPath}`);
-
-    try {
-      const output = execSync(`git -C "${repoPath}" fsck --no-dangling`, {
-        encoding: 'utf8',
-        timeout: 120_000,
-        stdio: ['pipe', 'pipe', 'pipe'],
-      });
-
-      // Parse output for corruption indicators
-      const corruptionPatterns = [
-        /broken link/i,
-        /missing (blob|tree|commit|tag)/i,
-        /dangling/i,
-        /corrupt/i,
-        /error in /i,
-      ];
-
-      for (const pattern of corruptionPatterns) {
-        if (pattern.test(output)) {
-          core.warning(`[Reliability] Git integrity check found issues: ${output.trim()}`);
-          return false;
-        }
-      }
-
-      core.info('[Reliability] Git integrity check passed');
-      return true;
-    } catch (error: any) {
-      // execSync throws on non-zero exit code
-      const stderr = error.stderr?.toString() ?? error.message;
-      core.warning(`[Reliability] Git integrity check failed: ${stderr}`);
-      return false;
-    }
-  }
-
-  /**
-   * Remove stale .lock files from the .git directory.
-   * Only removes lock files older than 10 minutes to avoid interfering with active operations.
-   * Returns the number of lock files removed.
-   */
-  static cleanStaleLockFiles(repoPath: string = '.'): number {
-    const gitDir = path.join(repoPath, '.git');
-    if (!fs.existsSync(gitDir) || !fs.statSync(gitDir).isDirectory()) {
-      return 0;
-    }
-
-    core.info(`[Reliability] Scanning for stale lock files in ${gitDir}`);
-    const now = Date.now();
-    let removed = 0;
-
-    const cleanDirectory = (directory: string): void => {
-      if (!fs.existsSync(directory)) return;
-
-      try {
-        const entries = fs.readdirSync(directory, { withFileTypes: true });
-        for (const entry of entries) {
-          const fullPath = path.join(directory, entry.name);
-          if (entry.isDirectory()) {
-            cleanDirectory(fullPath);
-          } else if (entry.name.endsWith('.lock')) {
-            // Check if it is a known lock file location OR under refs/
-            const relativePath = path.relative(gitDir, fullPath);
-            const isKnownLock = BuildReliabilityService.LOCK_FILE_NAMES.has(entry.name);
-            const isRefsLock = relativePath.startsWith('refs' + path.sep);
-
-            if (isKnownLock || isRefsLock) {
-              try {
-                const stat = fs.statSync(fullPath);
-                const ageMs = now - stat.mtimeMs;
-
-                if (ageMs > BuildReliabilityService.LOCK_FILE_MAX_AGE_MS) {
-                  fs.unlinkSync(fullPath);
-                  removed++;
-                  core.info(
-                    `[Reliability] Removed stale lock file (age: ${Math.round(ageMs / 1000)}s): ${relativePath}`,
-                  );
-                } else {
-                  core.info(
-                    `[Reliability] Lock file is recent (age: ${Math.round(ageMs / 1000)}s), skipping: ${relativePath}`,
-                  );
-                }
-              } catch {
-                core.warning(`[Reliability] Could not remove lock file: ${fullPath}`);
-              }
-            }
-          }
-        }
-      } catch {
-        // Directory not accessible
-      }
-    };
-
-    cleanDirectory(gitDir);
-
-    if (removed > 0) {
-      core.info(`[Reliability] Cleaned ${removed} stale lock file(s)`);
-    } else {
-      core.info('[Reliability] No stale lock files found');
-    }
-
-    return removed;
-  }
-
-  /**
-   * Validate that submodule .git files point to existing backing stores
-   * under .git/modules/. Returns list of submodule paths with broken backing stores.
-   */
-  static validateSubmoduleBackingStores(repoPath: string = '.'): string[] {
-    const broken: string[] = [];
-    const gitmodulesPath = path.join(repoPath, '.gitmodules');
-
-    if (!fs.existsSync(gitmodulesPath)) {
-      core.info('[Reliability] No .gitmodules found, skipping submodule validation');
-      return broken;
-    }
-
-    core.info(`[Reliability] Validating submodule backing stores in ${repoPath}`);
-
-    try {
-      const content = fs.readFileSync(gitmodulesPath, 'utf8');
-      const pathMatches = content.matchAll(/path\s*=\s*(.+)/g);
-
-      for (const match of pathMatches) {
-        const submodulePath = match[1].trim();
-        const gitFile = path.join(repoPath, submodulePath, '.git');
-
-        if (!fs.existsSync(gitFile)) {
-          // Submodule not initialized -- not necessarily broken
-          continue;
-        }
-
-        try {
-          const stat = fs.statSync(gitFile);
-          if (stat.isFile()) {
-            // .git is a file -- should contain "gitdir: <path>"
-            const gitFileContent = fs.readFileSync(gitFile, 'utf8').trim();
-            const gitdirMatch = gitFileContent.match(/^gitdir:\s*(.+)$/);
-
-            if (gitdirMatch) {
-              const backingStore = path.resolve(path.join(repoPath, submodulePath), gitdirMatch[1]);
-              if (!fs.existsSync(backingStore)) {
-                broken.push(submodulePath);
-                core.warning(`[Reliability] Submodule ${submodulePath} has broken backing store: ${backingStore}`);
-              } else {
-                core.info(`[Reliability] Submodule ${submodulePath} backing store OK`);
-              }
-            } else {
-              broken.push(submodulePath);
-              core.warning(`[Reliability] Submodule ${submodulePath} .git file has invalid format`);
-            }
-          }
-        } catch {
-          // Can't read .git file
-          core.warning(`[Reliability] Could not read .git file for submodule: ${submodulePath}`);
-        }
-      }
-    } catch (error: any) {
-      core.warning(`[Reliability] Could not read .gitmodules: ${error.message}`);
-    }
-
-    if (broken.length > 0) {
-      core.warning(`[Reliability] ${broken.length} submodule(s) have broken backing stores`);
-    } else {
-      core.info('[Reliability] All submodule backing stores are valid');
-    }
-
-    return broken;
-  }
-
-  /**
-   * Orchestrate recovery of a corrupted repository.
-   * Sequence: fsck -> clean locks -> re-fetch -> retry fsck.
-   * Returns true if recovery succeeded.
-   */
-  static recoverCorruptedRepo(repoPath: string = '.'): boolean {
-    core.warning(`[Reliability] Attempting automatic recovery for ${repoPath}`);
-
-    // Step 1: Clean stale lock files that may be preventing operations
-    const locksRemoved = BuildReliabilityService.cleanStaleLockFiles(repoPath);
-    if (locksRemoved > 0) {
-      core.info(`[Reliability] Recovery: cleaned ${locksRemoved} lock file(s)`);
-    }
-
-    // Step 2: Re-fetch to restore missing objects
-    try {
-      core.info('[Reliability] Recovery: re-fetching from remote');
-      execSync(`git -C "${repoPath}" fetch --all`, {
-        encoding: 'utf8',
-        timeout: 300_000,
-        stdio: ['pipe', 'pipe', 'pipe'],
-      });
-      core.info('[Reliability] Recovery: fetch completed');
-    } catch (error: any) {
-      core.warning(`[Reliability] Recovery: fetch failed: ${error.stderr?.toString() ?? error.message}`);
-    }
-
-    // Step 3: Retry fsck
-    const healthy = BuildReliabilityService.checkGitIntegrity(repoPath);
-    if (healthy) {
-      core.info('[Reliability] Recovery succeeded -- repository is healthy');
-    } else {
-      core.warning('[Reliability] Recovery failed -- repository still has integrity issues');
-    }
-
-    return healthy;
-  }
-
-  /**
-   * Scan a directory tree for files/directories with Windows reserved names.
-   * These names (con, prn, aux, nul, com1-9, lpt1-9) with any extension
-   * cause Unity asset importer infinite loops on Windows.
-   * Returns list of paths that were removed.
-   */
-  static cleanReservedFilenames(projectPath: string): string[] {
-    const assetsPath = path.join(projectPath, 'Assets');
-    if (!fs.existsSync(assetsPath)) {
-      core.info(`[Reliability] No Assets directory found at ${assetsPath}, skipping reserved filename scan`);
-      return [];
-    }
-
-    core.info(`[Reliability] Scanning for reserved filenames in ${assetsPath}`);
-    const cleaned: string[] = [];
-
-    const scanDirectory = (directory: string): void => {
-      try {
-        const entries = fs.readdirSync(directory, { withFileTypes: true });
-        for (const entry of entries) {
-          const nameWithoutExtension = entry.name.split('.')[0].toLowerCase();
-          const fullPath = path.join(directory, entry.name);
-
-          if (BuildReliabilityService.RESERVED_NAMES.has(nameWithoutExtension)) {
-            try {
-              if (entry.isDirectory()) {
-                fs.rmSync(fullPath, { recursive: true, force: true });
-              } else {
-                fs.unlinkSync(fullPath);
-              }
-              cleaned.push(fullPath);
-              core.warning(`[Reliability] Removed reserved filename: ${fullPath}`);
-            } catch {
-              core.warning(`[Reliability] Could not remove reserved filename: ${fullPath}`);
-            }
-          } else if (entry.isDirectory()) {
-            scanDirectory(fullPath);
-          }
-        }
-      } catch {
-        // Directory not accessible
-      }
-    };
-
-    scanDirectory(assetsPath);
-
-    if (cleaned.length > 0) {
-      core.warning(`[Reliability] Cleaned ${cleaned.length} reserved filename(s)`);
-    } else {
-      core.info('[Reliability] No reserved filenames found');
-    }
-
-    return cleaned;
-  }
-
-  /**
-   * Get available disk space in megabytes for a given directory.
-   * Returns -1 if the check fails (unknown space).
-   *
-   * Cross-platform: uses wmic on Windows, df on Unix.
-   */
-  static getAvailableSpaceMB(directoryPath: string): number {
-    try {
-      if (process.platform === 'win32') {
-        const drive = path.parse(directoryPath).root;
-        const driveLetter = drive.replace(/[:\\\/]/g, '');
-        const output = execFileSync(
-          'wmic',
-          ['logicaldisk', 'where', `DeviceID='${driveLetter}:'`, 'get', 'FreeSpace', '/value'],
-          { encoding: 'utf8', timeout: 10_000 },
-        );
-        const match = output.match(/FreeSpace=(\d+)/);
-
-        return match ? Number.parseInt(match[1], 10) / (1024 * 1024) : -1;
-      } else {
-        const output = execFileSync('df', ['-BM', '--output=avail', directoryPath], {
-          encoding: 'utf8',
-          timeout: 10_000,
-        });
-        const lines = output.trim().split('\n');
-
-        return Number.parseInt(lines[lines.length - 1], 10);
-      }
-    } catch {
-      return -1; // Unknown, caller should proceed with warning
-    }
-  }
-
-  /**
-   * Calculate the total size of a directory in megabytes.
-   * Returns -1 if the calculation fails.
-   */
-  static getDirectorySizeMB(directoryPath: string): number {
-    try {
-      const stat = fs.statSync(directoryPath);
-      if (!stat.isDirectory()) {
-        return stat.size / (1024 * 1024);
-      }
-
-      let totalBytes = 0;
-      const walkDirectory = (dir: string): void => {
-        const entries = fs.readdirSync(dir, { withFileTypes: true });
-        for (const entry of entries) {
-          const fullPath = path.join(dir, entry.name);
-          if (entry.isDirectory()) {
-            walkDirectory(fullPath);
-          } else {
-            try {
-              totalBytes += fs.statSync(fullPath).size;
-            } catch {
-              // Skip inaccessible files
-            }
-          }
-        }
-      };
-
-      walkDirectory(directoryPath);
-
-      return totalBytes / (1024 * 1024);
-    } catch {
-      return -1;
-    }
-  }
-
-  /**
-   * Create a tar.gz archive of build output.
-   *
-   * Validates disk space before archiving. Skips archival with a warning
-   * if insufficient space is detected, preventing partial writes on full disks.
-   */
-  static archiveBuildOutput(sourcePath: string, archivePath: string): void {
-    if (!fs.existsSync(sourcePath)) {
-      core.info(`[Reliability] No build output to archive at ${sourcePath}`);
-      return;
-    }
-
-    fs.mkdirSync(archivePath, { recursive: true });
-
-    // Check available disk space before archiving
-    const sourceSizeMB = BuildReliabilityService.getDirectorySizeMB(sourcePath);
-    const availableSpaceMB = BuildReliabilityService.getAvailableSpaceMB(archivePath);
-
-    if (sourceSizeMB >= 0 && availableSpaceMB >= 0) {
-      const neededMB = Math.ceil(sourceSizeMB * 1.1); // 10% safety margin
-      if (availableSpaceMB < neededMB) {
-        core.warning(
-          `[Reliability] Insufficient disk space for archive. ` +
-            `Need ~${neededMB}MB, available: ${Math.floor(availableSpaceMB)}MB. Skipping archive.`,
-        );
-        return;
-      }
-      core.info(
-        `[Reliability] Disk space check passed: need ~${neededMB}MB, available: ${Math.floor(availableSpaceMB)}MB`,
-      );
-    } else if (availableSpaceMB < 0) {
-      core.warning('[Reliability] Could not determine available disk space. Proceeding with archive cautiously.');
-    }
-
-    const timestamp = new Date().toISOString().replace(/[.:]/g, '-');
-    const archiveFile = path.join(archivePath, `build-${timestamp}.tar.gz`);
-
-    try {
-      execSync(`tar -czf "${archiveFile}" -C "${path.dirname(sourcePath)}" "${path.basename(sourcePath)}"`, {
-        encoding: 'utf8',
-        timeout: 600_000,
-        stdio: ['pipe', 'pipe', 'pipe'],
-      });
-      core.info(`[Reliability] Build output archived to ${archiveFile}`);
-    } catch (error: any) {
-      core.warning(`[Reliability] Failed to archive build output: ${error.stderr?.toString() ?? error.message}`);
-
-      // Clean up partial archive if it exists to avoid leaving corrupted files
-      try {
-        if (fs.existsSync(archiveFile)) {
-          fs.unlinkSync(archiveFile);
-          core.info(`[Reliability] Cleaned up partial archive: ${archiveFile}`);
-        }
-      } catch {
-        // Best-effort cleanup
-      }
-    }
-  }
-
-  /**
-   * Enforce retention policy -- delete archives older than the retention period.
-   * Returns the number of old archives removed.
-   */
-  static enforceRetention(archivePath: string, retentionDays: number): number {
-    if (!fs.existsSync(archivePath)) {
-      return 0;
-    }
-
-    const now = Date.now();
-    const retentionMs = retentionDays * 24 * 60 * 60 * 1000;
-    let removed = 0;
-
-    try {
-      const entries = fs.readdirSync(archivePath, { withFileTypes: true });
-      for (const entry of entries) {
-        const fullPath = path.join(archivePath, entry.name);
-        try {
-          const stat = fs.statSync(fullPath);
-          const ageMs = now - stat.mtimeMs;
-
-          if (ageMs > retentionMs) {
-            if (entry.isDirectory()) {
-              fs.rmSync(fullPath, { recursive: true, force: true });
-            } else {
-              fs.unlinkSync(fullPath);
-            }
-            removed++;
-            core.info(
-              `[Reliability] Removed old archive: ${entry.name} (age: ${Math.round(
-                ageMs / (24 * 60 * 60 * 1000),
-              )} days)`,
-            );
-          }
-        } catch {
-          core.warning(`[Reliability] Could not process archive entry: ${fullPath}`);
-        }
-      }
-    } catch {
-      core.warning(`[Reliability] Could not read archive directory: ${archivePath}`);
-      return 0;
-    }
-
-    if (removed > 0) {
-      core.info(
-        `[Reliability] Retention enforced: removed ${removed} old archive(s), retention: ${retentionDays} days`,
-      );
-    }
-
-    return removed;
-  }
-
-  /**
-   * Configure git environment variables for CI reliability.
-   * Sets GIT_TERMINAL_PROMPT=0, increases http.postBuffer, enables core.longpaths.
-   */
-  static configureGitEnvironment(): void {
-    core.info('[Reliability] Configuring git environment for CI');
-
-    // Prevent git from prompting for credentials (hangs in CI)
-    process.env.GIT_TERMINAL_PROMPT = '0';
-    core.info('[Reliability] Set GIT_TERMINAL_PROMPT=0');
-
-    try {
-      // Increase http.postBuffer to 500MB for large pushes
-      execSync('git config --global http.postBuffer 524288000', {
-        encoding: 'utf8',
-        timeout: 10_000,
-        stdio: ['pipe', 'pipe', 'pipe'],
-      });
-      core.info('[Reliability] Set http.postBuffer=524288000 (500MB)');
-    } catch (error: any) {
-      core.warning(`[Reliability] Could not set http.postBuffer: ${error.message}`);
-    }
-
-    try {
-      // Enable long paths on Windows
-      execSync('git config --global core.longpaths true', {
-        encoding: 'utf8',
-        timeout: 10_000,
-        stdio: ['pipe', 'pipe', 'pipe'],
-      });
-      core.info('[Reliability] Set core.longpaths=true');
-    } catch (error: any) {
-      core.warning(`[Reliability] Could not set core.longpaths: ${error.message}`);
-    }
-  }
-}

src/model/orchestrator/services/reliability/index.ts

@@ -1 +0,0 @@
-export { BuildReliabilityService } from './build-reliability-service';